Accessibility Information

Users of assistive technologies such as screen readers should use the following link to activate Accessibility Mode before continuing: Learn more and Activate accessibility mode.

Innovative Cross-Domain Cyber Reactive Information Sharing (ICCyRIS)

Solicitation Number: BAA-RIK-14-02
Agency: Department of the Air Force
Office: Air Force Material Command
Location: AFRL/RIK - Rome
  • Print

Note:

There have been modifications to this notice. To view the most recent modification/amendment, click here
:
BAA-RIK-14-02
:
Presolicitation
:
Added: Dec 18, 2013 1:13 pm

I. FUNDING OPPORTUNITY DESCRIPTION:


The Cross Domain Innovation & Science (CDIS) group of the Air Force Research Laboratory's Information Directorate is interested in new innovative technologies and capabilities, within the Multi-Level Security (MLS) and Cyber Security environments, that promote the state of the art for secure, accreditable resilient and reactive capabilities to enhance the sharing of information between multiple security domains within both enterprise and mobile/tactical environments.


This BAA focuses on developing new technologies to allow secure data sharing; trusted computing; smart routing; cyber defense; Multi-Level Security (MLS) trust at the tactical edge; and a comprehensive, multi-security domain, user-defined operational picture to effectively and efficiently improve the state-of-the-art for defense enterprise, cloud, and mobile/tactical computing/operations.


The goals of this BAA are to improve cross-domain information sharing in five distinct technology areas:

    1. Multi-Enclave/Multi-Domain Cyber User Defined Operational Picture (UDOP) - Extending enterprise status monitoring efforts and Cross Domain Solutions (CDSs) adaptability to meet greater operator need.

    2. High Risk Data Type Mitigation - Providing micro-virtualized ultra-high-risk content and investigations for malicious behavior before passing them to other security domains.

    3. Fine-Grained Grammar for Orchestration - Use of formal grammars for quick adaptation of workflows to meet changing mission/security/performance requirements.

    4. Content and Label Based Routing - Extending the trust provided at node and network environments to the information objects being passed to assure end-to-end trust in passing and delivering information to recipients.

    5. MLS Trust at the Edge - Extending the robustness and usability of MLS mobile and desktop endpoint technology to meet the critical needs of our mobile warriors.


General Focus Areas Applicable to all FYs:


Incorporate Enterprise Security Features into Mobile/Tactical Systems
Given the expanding scope of threat to operational systems and networks, investigate and develop high assurance hardware features available in Enterprise environments for use within the mobile/tactical environments. Examples (not specific requirements) include but are not limited to Trusted Platform Module (TPM)/Secure Boot, Trusted Network Connect (TNC), and various x86/64 architecture security enhancements like VT-d/VT-x/ASLR/etc.


Automatically Evaluate Video Streams for Cross-Domain Releasability
Perform an analysis of alternatives and incorporate the most mature systems into a prototype for evaluating the releasability of streaming data. This specifically includes but is not limited to speech-to-text, person recognition, and object recognition functionality plus system(s) to reason over the results of these functions.


Improved Security Through Virtualization
Utilize the broad swath of virtualization technologies to improve the state of the art of information assurance. Note also the related High Risk Binary Assessment Focus Area for FY 15 under this BAA, as well as the Secure Data Containers Focus Area for FY16.


Novel, Trustworthy Filtration
Improve the state of data filtration through the use of techniques and procedures either previously unexplored in filtration or completely novel. Note that adding a new filter for an already covered file type is much less interesting than the ability to add classes of file types which are otherwise unaddressed by filtration engines. Note also the related High Risk Binary Assessment Focus Area for FY15 under this BAA, as well as the Imagery to Text Focus Area for FY18.


Improved Orchestration Interfaces that don't require a "Man-in-the-Loop"
Research and develop better automation of multiple data flows, each containing myriad functions and decision points, intended to affect large pools of data. This may be used in conjunction with various efforts such as the National Security Agency's (NSA's) Bray tool, Data Flow Configuration Format (DFCF), Guard Remote Management Protocol (GRMP), the CDS Management Information Base (MIB), and/or others. This capability includes the ability to demonstrate proposed changes against known pools of data, provide high level metrics regarding the original and changed results on those known pools of data, and to allow the user to drill down into greater, granular detail on the metrics as needed. These interfaces should not assume any particular degree of knowledge for users beyond a general computer use competency, and must ensure users' identity and authorization via appropriate methods.


Improved Machine-to-Machine Automation
Many cross domain links are established between automated systems for various purposes. There are large swaths of commonality across most of these links. Build tools to leverage unmodified CDSs from the Unified Cross Domain Management Office (UCDMO) baseline to better meet the need for creating similar links in the future.



Improved Commodity Multi-Level Security (MLS) Networking
Create networking capable of mandatory access control (MAC) for content, locations and users marked, approved and operating at different levels of classification (plus releasability, caveats, and other security-relevant markings) utilizing commodity hardware, operating systems, software and infrastructure as much as practical. Complete redevelopment/replacement of existing networking infrastructure and endpoints is explicitly outside the scope of this effort.


Focus Areas for FY15:


High Risk Binary Assessment
Demonstrate a capability to automate invocation of potentially malicious content within a secure environment (such as a sandbox, virtual machine, or ‘detonation chamber'). This capability should include scripting some appropriate number of user actions within commodity, unmodified applications and monitoring the environment for malicious or unexpected behaviors. The solution should incorporate both signature based detection of suspect behaviors as well as aberrant behavior based on a learned fingerprint of the normal functioning of the consuming application(s) within the environment. For example, if a given application doesn't normally generate alternate data streams within Windows, then generating an alternate data steam upon opening a new file in that application should be flagged. Integrity of the mechanisms that identify these unexpected behaviors must be protected from tampering or observation from within the secure environment. The solution shall also include one or more ways to adapt to new exercising applications and steps within the secure environment to either extend inspection of current file types supported and/or to offer support for new file types. In the final version delivered, no particular degree of knowledge beyond a general computer use competency should be expected from operators or those who adapt the system in the aforementioned manner(s).


Situational Awareness of End-to-End Multi-level Information Flow
NSA's Cross Domain Solution Management Information Base (CDS-MIB) is a CDS-independent mechanism used to report including flow performance, errors, and other various metrics related to CDS health and status. This is only part of the picture that is necessary to efficiently be aware of the true multi-level information flow picture. The addition of information pertaining to CDS support devices such as external filtering appliances, CDS pre-processors, mission applications that leverage CDS and other IT integral to cross domain services (e.g., identity management, email infrastructure) is intended to enhance end-to-end situational awareness. This will increase situation awareness of all CDSs on the network, provide more insight into network status and services status, and provide opportunity for further integration with other activities, to include prior CDIS run efforts such as Audit-Based Sensing & Protection (ASP) and Behavior Based Risk Assurance (BBRA). Once this capability is developed, other capabilities can use the information to include load balancers and automatic failover.


CAC Authentication via MicroSD Certificate Storage
Commercial mobile devices on their own, with standard configuration, are not secure enough for government use. However, to save money, many agencies are looking to leverage them. This poses a challenge for securing government/sensitive data access by the device user, while maintaining all the functionality of the commercial device itself. One approach is to utilize micro/nano Secure Digital (SD) cards to provide secure storage of access certificates. Phase one of this focus area will develop a secure, "read only" certificate store utilizing the Micro and Nano SD card form factors for use in physically unmodified Commercial-Off-The-Shelf (COTS) Mobile Platforms. Software applications may be modified or created in order to demonstrate the functionality. The second phase of this focus area will test the proposed solution against real world scenarios utilizing life-like certificate data to ascertain robustness against published Security Technical Implementation Guides (STIGS).


Securing Commercial Off-The-Shelf (COTS) Mobile Device Common Access Card (CAC) Authentication via Near-Field Communication (NFC)
Several COTS mobile devices feature NFC capabilities. Concurrently, there are requirements for warfighters to authenticate on computing resources with their Common Access Card (CAC). Unfortunately, physical external readers for CACs are unwieldy extensions to mobile devices. As such, there may be an opportunity to investigate utilizing the COTS NFC capabilities assuming they meet or exceed the security requirements accomplished by the physical readers. Given the repeated demonstrations given at most modern Black Hat events exploiting COTS NFC capabilities in many various ways, skepticism as to these devices' security capabilities will need to be assuaged and demonstrated as mitigated appropriately for operationally meaningful situations. Additionally, the demonstrated solution has additional challenges: It must be able to prevent unauthorized access to sensitive data provided via CAC PKI capabilities, it must securely account for users with multiple credentials and access their existing certificates within appropriate networks (as in Global Access List, Lightweight Directory Access Protocol (LDAP)/ Active Directory (AD), etc.), must have a segregation capability if malicious code is detected, and allow for appropriate persistence of user authentication even after the device and NFC tag are outside of scanning range.


Focus Areas for FY 16:


Secure Data Containers
Create and demonstrate a method to generate, secure and safely destroy three or more secure data containers (SDCs) within recent versions of the Android mobile operating system (OS) running on unmodified COTS hardware. These SDCs are required to hold application data so that other applications or instances of the same applications cannot access sensitive or proprietary information that resides elsewhere on a mobile device. They must be application agnostic; however, they must also be able to hold the applications data securely. Use of commercial applications on these devices with a degree of trust will require the application runtime in the mobile OS to provide appropriate separation from the rest of the trusted environment. This will require assurance of robust segregation as well as dynamic, configurable control of Android's "app intents" within single SDCs as well as across multiple SDCs on a single mobile device. Additionally, as current configurations of Android OS allow for multiple calls among applications without user intervention (e.g., photo app calls camera, Global Positioning System (GPS), location service, etc.). As such, SDCs must also allow multiple instantiations of an application (i.e., navigation, email, etc.) within one or more individual domains on a mobile device without violating the integrity of those individual containers. These SDCs must have a periodic capability to test their integrity, as well as assuring no data path exists between containers which are not explicitly permitted, no communication between instances of the same application across SDCs, be able to support dynamic application/sensor calls with negligible performance degradation, and assure apps are confined to their specified SDC.


Adaptive Filter Workflows
Prototype a solution that augments existing Cross Domain Solution (CDS) orchestration grammars to address relative confidence in filters within each given data flow. This explicitly includes both deterministic and heuristic filtration tools, as well as the confidence in a given tool's capability in a given role. Binary (go/no-go) decisions are based on filter inputs to handle probabilistic determination based on a ‘building confidence' model. This requires the generation of a generalized list of ‘cases' for decision over as well as the creation of a secure decision algorithm. The prototype is expected to demonstrate its capability over multiple filter and file types. In the final deliverable, filter types must include multiple (4+) different degrees of trust in their function/capability as well as both deterministic and heuristic filtration tools. Work flows orchestrated by the demonstration must be nontrivial, including the ability to transform files between different formats as well as both detecting and reacting to failure of transfer. Additionally the final capability must be able to handle multiple (>5) distinct file types appropriately.


Cross Domain Solution (CDS) Load Balancing and Failover
In order to support the Department of Defense (DoD) Enterprise's 24x7 operational requirements, CDSs will need to be able to support load balancing and failover. CDSs are not uniform, as different types handle different protocols and data formats in different ways, often with security relevant implications and always affecting acceptable load balancing or failover processes. The first phase of this research is the development of CDS-agnostic best practices for the load balancing and failover handling for CDSs. Due to the proprietary nature of some CDSs, this would require some standardization or a least common denominator approach on the part of the load balancing solution. Research aligned to this effort includes the load balancing communication by which system status is tracked and work is distributed. Examples of available CDS sensors and communication protocols include CDS Management Information Base (MIB), the Guard Remote Management Protocol (GRMP), and numerous others. Off-The-Shelf (OTS) solutions should be investigated to be leveraged or integrated. For the second phase, develop a means for implementing solutions to complex use cases with consideration to available, deployed guards. Design and implement a test procedure to validate the viability of the technology. Security and transition readiness are top priorities during this phase of development and integration.


Mobile Android Multi-Biometric Acquisition (MAMBA)
Develop a mobile application that fully leverages the available biometric sensors (accelerometer, GPS, camera, fingerprint reader, microphone, etc.) in current and future cellular phone and/or tablet devices and securely transmits recorded data for analysis. The first phase of this effort will create and/or integrate a prototype solution that can interface and/or integrate with a COTS mobile device, then evaluate efficacy of data and functionality of the solution in a variety of scenarios. The solution should be hardware platform independent, meaning the brand of phone or tablet used should not matter. However, the proposed solution should be built on the COTS mobile operating system Android OS at a minimum with SE Android being the preferred mobile OS. In addition, other secure mobile OSs are potentially interesting. In the second phase, conduct a field test of the solution across multiple hardware platforms recording and transmitting a variety of biometric data points. These tests will be conducted to evaluate the ability of prototype to interface with existing, live AF or equivalent data repositories. Collected data may be enhanced as necessary to proper robustness for identification purposes with a maximum false-positive rate of 0.1%.


Focus Areas for FY 17:


On-Demand Cross Domain Solution (CDS) Filtering
Provide a trustworthy mechanism to securely store, deliver, and deploy new filters into CDSs on demand. The intent is to develop a new or extend an existing agnostic Application Programmer's Interface (API) to allow multiple disparate transfer CDSs to interrogate one or more trusted store(s) for filters to be secure delivered in near-real-time, and to provide a reference implementation for that trusted store. This is intended to allow CDSs to adapt to changing workload requirements and threat environments. If the CDS already contains a similar capability or partial capability, it is expected that this API will wrapper them rather than redeveloping.


Enhance Logic and Visualization for Enterprise Capabilities
Extend the ability to monitor one or more transfer Cross Domain Solutions (CDSs) beyond prior efforts' scope by incorporating business logic through a reasoning engine to examine the data collected and stored via CDS-MIB, SNMP & perhaps alternate sources as well as performing trend analysis across this information. This would be expected to be able to automatically suggest and/or enforce reporting and warning thresholds to alert responsible parties via Simple Network Management Protocol (SNMP) (for integration with enterprise management & alert systems), email and/or text to abnormal activity with respect to the CDSs' normal functioning. Given other previously developed tools, this developed capability might be expected to automatically react to incoming data and alter one or more CDSs' operational posture, either to ensure operational goals and/or reduce data exfiltration/malware infiltration.


Mobile MLS Cross Domain XML Routing
Evaluate existing XML data tagging standards for use in both IP-based wired networks and wireless mobile networking environments, both for traditional tagging roles and also in support of cross security domain routing decisions. Publish this evaluation in order to gather feedback and consensus and hopefully drive standardization across DoD/IC and eventually the mobile industry. Finally, develop a prototype that enables standardized cross domain routing originating and/or ending on a mobile platform.


Advanced File Typing
Perform best of breed Analysis of Alternatives between deep content inspection and/or file parsing capabilities such as Apache Tika, Data Format Description Language (DFDL), and similar. Using the best of breed, create a prototype to perform deep content inspection of files to detect and/or extract metadata, binary blobs and/or structured text content to properly & fully identify file types (Multipurpose Internet Mail Extension (MIME) types). Develop with common programmatic API calls plus appropriate web service interfaces and NSA's Filter Componentization Effort (FCE) specification. Test and evaluate performance and reliability of file type identification. Include edge cases such as polymorphism, spoofing, multiple file type compatibilities, and container file types.


Focus Areas for FY 18:


Imagery to Text
In order to better meet warfighter operational needs, perform an Analysis of Alternatives on commercial, open source and Government Off-The-Shelf (GOTS) tools which provide Optical Character Recognition (OCR) and related capabilities. Include analysis on cost, performance, hardware requirements, accuracy (false positive / false negative rates), and other relevant features. Use the highest rated alternative to generate raw text files from multiple (3+) disparate imagery file and/or streaming formats. Create interfaces to feed output to other processes such as the Filter Componentization Effort (FCE) specification among other relevant specifications. Ensure the product provides appropriate levels of auditing and meets relevant assurance requirements.



II. AWARD INFORMATION:


Total funding for this BAA is approximately $24 M. The anticipated funding to be obligated under this BAA is broken out by fiscal year as follows: FY 15 - $6M; FY 16 - $6M; FY 17 - $6M; FY 18 - $6M. Individual awards will not normally exceed 36 months with dollar amounts normally ranging between $250K to $500K per year. There is also the potential to make awards up to any dollar value. Awards of efforts as a result of this announcement will be in the form of contracts, grants or cooperative agreements or other transactions depending upon the nature of the work proposed. The Government reserves the right to select all, part, or none of the proposals received, subject to the availability of funds. All potential Offerors should be aware that due to unanticipated budget fluctuations, funding in any or all areas may change with little or no notice.



III. ELIGIBILITY INFORMATION:


1. ELIGIBLE APPLICANTS: All qualified offerors who meet the requirements of this BAA may apply. Foreign or foreign-owned offerors are advised that their participation is subject to foreign disclosure review procedures. Foreign or foreign-owned offerors should immediately contact the contracting office focal point, Gail E. Marsh, Contracting Officer, telephone (315) 330-7518 or e-mail gail.marsh@us.af.mil for information if they contemplate responding. The e-mail must reference the title and BAA-RIK-14-02.


2. COST SHARING OR MATCHING: Cost sharing is not a requirement.


3. System for Award Management (SAM). Offerors must be registered in the SAM database to receive a contract award, and remain registered during performance and through final payment of any contract or agreement. Processing time for registration in SAM, which normally takes forty-eight hours, should be taken into consideration when registering. Offerors who are not already registered should consider applying for registration before submitting a proposal.


4. Executive Compensation and First-Tier Sub-contract/Sub-recipient Awards: Any contract award resulting from this announcement may contain the clause at FAR 52.204-10 - Reporting Executive Compensation and First-Tier Subcontract Awards. Any grant or agreement award resulting from this announcement may contain the award term set forth in 2 CFR, Appendix A to Part 25 http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?
c=ecfr&sid=c55a4687d6faa13b137a26d0eb436edb&rgn=div5&view=
text&node=2:1.1.1.41&idno=2#2:1.1.1.4.1.2.1.1



IV. APPLICATION AND SUBMISSION INFORMATION:


1. APPLICATION PACKAGE: THIS ANNOUNCEMENT CONSTITUTES THE ONLY SOLICITATION. WE ARE SOLICITING WHITE PAPERS ONLY. DO NOT SUBMIT A FORMAL PROPOSAL AT THIS TIME.


Those white papers found to be consistent with the intent of this BAA may be invited to submit a technical and cost proposal, see Section VI of this announcement for further details.


For additional information, a copy of the AFRL "Broad Agency Announcement (BAA): Guide for Industry," May 2012, may be accessed at:
 https://www.fbo.gov/index?s=opportunity&mode=form&id=e68f832abb3a7341bb7328547c0e19c0&tab=
core&_cview=0


2. CONTENT AND FORM OF SUBMISSION: Offerors are required to submit 3 copies of a 3 to 5 page white paper summarizing their proposed approach/solution. The purpose of the white paper is to preclude unwarranted effort on the part of an offeror whose proposed work is not of interest to the Government.
 
The white paper will be formatted as follows: Section A: Title, Period of Performance, Estimated Cost, Name/Address of Company, Technical and Contracting Points of Contact (phone, fax and email)(this section is NOT included in the page count); Section B: Task Objective; and Section C: Technical Summary and Proposed Deliverables. Multiple white papers within the purview of this announcement may be submitted by each offeror. If the offeror wishes to restrict its white papers/proposals, they must be marked with the restrictive language stated in FAR 15.609(a) and (b). All white papers/proposals shall be double spaced with a font no smaller than 12 pitch. In addition, respondents are requested to provide their Commercial and Government Entity (CAGE) number, their Dun & Bradstreet (D&B) Data Universal Numbering System (DUNS) number, a fax number, an e-mail address, and reference BAA-RIK-14-02 with their submission. All responses to this announcement must be addressed to the technical POC, as discussed in paragraph six of this section.


3. SUBMISSION DATES AND TIMES: It is recommended that white papers be received by the following dates to maximize the possibility of award: FY 15 by 30 Jan 14 and FY 16 by 15 Jan 15, FY 17 by 15 Jan 16, FY 18 by 17 Jan 17. White papers will be accepted until 2pm Eastern time on 30 September 2018, but it is less likely that funding will be available in each respective fiscal year after the dates cited. FORMAL PROPOSALS ARE NOT BEING REQUESTED AT THIS TIME.


4. FUNDING RESTRICTIONS: The cost of preparing white papers/proposals in response to this announcement is not considered an allowable direct charge to any resulting contract or any other contract, but may be an allowable expense to the normal bid and proposal indirect cost specified in FAR 31.205-18. Incurring pre-award costs for ASSISTANCE INSTRUMENTS ONLY are regulated by the DoD Grant and Agreements Regulations (DODGARS).


5. All Proposers should review the NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING MANUAL, (NISPOM), dated February 28, 2006 as it provides baseline standards for the protection of classified information and prescribes the requirements concerning Contractor Developed Information under paragraph 4-105. Defense Security Service (DSS) Site for the NISPOM is: http://www.dss.mil/.


6. OTHER SUBMISSION REQUIREMENTS: DO NOT send white papers to the Contracting Officer.


All responses to this announcement must be addressed to:


ATTN: Michael J. Mayhew
AFRL/RIEBA
ICCyRIS BAA: BAA-RIK-14-02
525 Brooks Road
Rome, NY 13441-4505


Electronic submission to Michael.Mayhew.1@us.af.mil will also be accepted.


In the event of a possible or actual compromise of classified information in the submission of your white paper or proposal, immediately but no later than 24 hours, bring this to the attention of your cognizant security authority and AFRL Rome Research Site Information Protection Office (IPO):


    Bob Kane
    315-330-2324 0730-1630 Monday-Friday
    315-330-2961 Evenings and Weekends
    Email: Robert.Kane.7@us.af.mil


V. APPLICATION REVIEW INFORMATION:


1. CRITERIA: The following criteria, which are listed in descending order of importance, will be used to determine whether white papers and proposals submitted are consistent with the intent of this BAA and of interest to the Government: (1) Overall Scientific and Technical Merit -- Including the degree of innovation for the approach and the use of innovative modern architectures in development and/or enhancement of the proposed technology; the use of analysis, metrics & testing and adherence to Information Assurance and Cross-Domain best practices, (2) Related Experience - The extent to which the offeror demonstrates relevant technology and domain knowledge and experience within cross-domain environments, (3) Openness, Maturity & Assurance of Solution - The extent to which existing capabilities and standards are leveraged and the relative maturity of the proposed technology in terms of degree of Information Assurance and Cross-Domain standards implemented, and (4) Reasonableness and Realism of proposed costs and fees (if any). No further evaluation criteria will be used in selecting white papers/proposals. Individual white paper/proposal evaluations will be evaluated against the evaluation criteria without regard to other white papers and proposals submitted under this BAA. White papers and proposals submitted will be evaluated as they are received.


2. REVIEW AND SELECTION PROCESS: Only Government employees will evaluate the white papers/proposals for selection. The Air Force Research Laboratory's Information Directorate has contracted for various business and staff support services, some of which require contractors to obtain administrative access to proprietary information submitted by other contractors. Administrative access is defined as "handling or having physical control over information for the sole purpose of accomplishing the administrative functions specified in the administrative support contract, which do not require the review, reading, or comprehension of the content of the information on the part of non-technical professionals assigned to accomplish the specified administrative tasks." These contractors have signed general non-disclosure agreements and organizational conflict of interest statements. The required administrative access will be granted to non-technical professionals. Examples of the administrative tasks performed include: a. Assembling and organizing information for R&D case files; b. Accessing library files for use by government personnel; and c. Handling and administration of proposals, contracts, contract funding and queries. Any objection to administrative access must be in writing to the Contracting Officer and shall include a detailed statement of the basis for the objection.


3. The Government may simultaneously evaluate proposals received under this BAA from multiple offerors. In this case, the Government may make award based on adequate price competition, and offerors must be aware that there is a possibility of non-selection due to a proposal of similar but higher-priced technical approach as compared to another offeror.



VI. AWARD ADMINISTRATION INFORMATION:


1. AWARD NOTICES: Those white papers found to be consistent with the intent of this BAA may be invited to submit a technical and cost proposal. Notification by email or letter will be sent by the technical POC. Such invitation does not assure that the submitting organization will be awarded a contract. Those white papers not selected to submit a proposal will be notified in the same manner. Prospective offerors are advised that only Contracting Officers are legally authorized to commit the Government.


All offerors submitting white papers will be contacted by the technical POC, referenced in Section VII of this announcement. Offerors can email the technical POC for status of their white paper/proposal no earlier than 45 days after submission.


2. ADMINISTRATIVE AND NATIONAL POLICY REQUIREMENTS: Depending on the work to be performed, the offeror may require a Secret or Top Secret facility clearance and safeguarding capability; therefore, personnel identified for assignment to a classified effort must be cleared for access to Secret or Top Secret information at the time of award. In addition, the offeror may be required to have, or have access to, a certified and Government-approved facility to support work under this BAA. This acquisition may involve data that is subject to export control laws and regulations. Only contractors who are registered and certified with the Defense Logistics Information Service (DLIS) at http://www.dlis.dla.mil/jcp/ and have a legitimate business purpose may participate in this solicitation. For questions, contact DLIS on-line at http://www.dlis.dla.mil/jcp or at the DLA Logistics Information Service, 74 Washington Avenue North, Battle Creek, Michigan 49037-3084, and telephone number 1-800-352-3572. You must submit a copy of your approved DD Form 2345, Militarily Critical Technical Data Agreement, with your proposal.


3. DATA RIGHTS: The potential for inclusion of Small Business Innovation Research (SBIR) or data rights other than unlimited on awards is recognized. In accordance with (IAW) the Small Business Administration (SBA) SBIR Policy Directive, Section 8(b), SBIR data rights clauses are non-negotiable and must not be the subject of negotiations pertaining to an award, or diminished or removed during award administration. Issuance of an award will not be made conditional based on forfeit of data rights. If the SBIR awardee wishes to transfer its SBIR data rights to the Air Force or to a third party, it must do so in writing under a separate agreement. A decision by the awardee to relinquish, transfer, or modify in any way its SBIR data rights must be made without pressure or coercion by the agency or any other party. Non-SBIR data rights less than unlimited will be evaluated and negotiated on a case-by-case basis. Government Purpose Rights are anticipated for data developed with DoD-reimbursed Independent Research and Development (IR&D) funding.


4. REPORTING: Once a proposal has been selected for award, offerors will be given complete instructions on the submission process for the reports.


VII. AGENCY CONTACTS:


Questions of a technical nature shall be directed to the cognizant technical point of contact, as specified below:
Michael J. Mayhew
Telephone: (315) 330-2898
Email: michael.mayhew.1@us.af.mil


Questions of a contractual/business nature shall be directed to the cognizant contracting officer, as specified below:


Gail E. Marsh
Telephone (315) 330-7518
Email: Gail.Marsh@us.af.mil


The email must reference the solicitation (BAA) number and title of the acquisition.


In accordance with AFFARS 5301.91, an Ombudsman has been appointed to hear and facilitate the resolution of concerns from offerors, potential offerors, and others for this acquisition announcement. Before consulting with an ombudsman, interested parties must first address their concerns, issues, disagreements, and/or recommendations to the contracting officer for resolution. AFFARS Clause 5352.201-9101 Ombudsman (Apr 2010) will be incorporated into all contracts awarded under this BAA.


The AFRL Ombudsman is as follows:


    Ms. Barbara Gehrs
    AFRL/PK
    1864 4th Street
    Building 15, Room 225
    Wright-Patterson AFB OH 45433-7130
    FAX: (937) 656-7321; Comm: (937) 904-4407
    Email: Barbara.Gehrs@us.af.mil


All responsible organizations may submit a white paper which shall be considered.


 

Added: Jan 06, 2014 12:01 pm

The purpose of this modification is to make the following changes to SECTION I, "Funding Opportunity Description": 1) Move two (2) focus areas from Focus Areas for FY15 to the General Focus Areas for all FYs and 2) Add a new focus area under Focus Areas for FY15. No other changes have been made.



General Focus Areas Applicable to all FYs:


The following paragraphs are moved from Focus Areas for FY15 and added to General Focus Areas Applicable to all FYs:


CAC Authentication via MicroSD Certificate Storage
Commercial mobile devices on their own, with standard configuration, are not secure enough for government use. However, to save money, many agencies are looking to leverage them. This poses a challenge for securing government/sensitive data access by the device user, while maintaining all the functionality of the commercial device itself. One approach is to utilize micro/nano Secure Digital (SD) cards to provide secure storage of access certificates. Phase one of this focus area will develop a secure, "read only" certificate store utilizing the Micro and Nano SD card form factors for use in physically unmodified Commercial-Off-The-Shelf (COTS) Mobile Platforms. Software applications may be modified or created in order to demonstrate the functionality. The second phase of this focus area will test the proposed solution against real world scenarios utilizing life-like certificate data to ascertain robustness against published Security Technical Implementation Guides (STIGS).


Securing Commercial Off-The-Shelf (COTS) Mobile Device Common Access Card (CAC) Authentication via Near-Field Communication (NFC)
Several COTS mobile devices feature NFC capabilities. Concurrently, there are requirements for warfighters to authenticate on computing resources with their Common Access Card (CAC). Unfortunately, physical external readers for CACs are unwieldy extensions to mobile devices. As such, there may be an opportunity to investigate utilizing the COTS NFC capabilities assuming they meet or exceed the security requirements accomplished by the physical readers. Given the repeated demonstrations given at most modern Black Hat events exploiting COTS NFC capabilities in many various ways, skepticism as to these devices' security capabilities will need to be assuaged and demonstrated as mitigated appropriately for operationally meaningful situations. Additionally, the demonstrated solution has additional challenges: It must be able to prevent unauthorized access to sensitive data provided via CAC PKI capabilities, it must securely account for users with multiple credentials and access their existing certificates within appropriate networks (as in Global Access List, Lightweight Directory Access Protocol (LDAP)/ Active Directory (AD), etc.), must have a segregation capability if malicious code is detected, and allow for appropriate persistence of user authentication even after the device and NFC tag are outside of scanning range.


Focus Areas for FY15:


The following is a new paragraph added under Focus Areas for FY15:

Dynamic Mobile Device Management (DMDM)

In order to provide secure containers for multiple compartments within mobile devices, a dynamic method to manage mobile devices using a secure Operating System (such as SE-Android) is required. This topic is to develop and demonstrate an innovative method for the management of such a device. This following management capabilities must be considered : support for multiple compartments on a single mobile platform, dividing each container into separate compartments, each with their own storage, keystore, and applications; the ability to provide flexible policies for the communication of all applications with each other and the device; provide high-level enforcement of applications to operate as specified by policy within a container; provide typical device management which includes: user management, device lock-down, container isolation protection, tamper resistance, and remote management (including the ability to wipe the device if compromised); provide continual assessment of the devices security state and make appropriate actions when that state is compromised. The prototype delivered must incorporate as many of these capabilities as possible and demonstrate successful container separation, device and policy management, and attestation of device security.

Added: Jan 24, 2014 8:10 am
The purpose of this modification is to notify respondents that all foreign allied participation is excluded at the prime contractor level. All other information remains the same.
Added: Nov 21, 2014 2:20 pm



The purpose of this modification is to:

1) Revise the POC for AFRL Rome Research Site Information Protection Office in SECTION IV.3.a:

The new POC is:


    Vincent Guza
    315-330-4048 0730-1630 Monday - Friday
    315-330-2961 Evenings and Weekends
    Email: vincent.guza@us.af.mil


2) Revise the phone number for the technical POC in SECTION VII - Agency Contacts. The new phone number for Lt Bridget Flatley is as follows:

    1Lt Bridget Flatley
    AFRL/RISD
    525 Brooks Road
    Rome New York 13441-4505
    Telephone: (315) 330-4346
    Email: bridget.flately.1@us.af.mil


No other changes are being made.

Added: Dec 02, 2014 2:20 pm
The purpose of this modification is to make the following changes to SECTION I, "Funding Opportunity Description": 1) Add an additional topic, "Real Time Mobile Authentication" to the General Focus Areas; 2) Delete in its entirety the general topic entitled "Incorporate Enterprise Security Features into Mobile/Tactical Systems" from General Focus Areas; 3) Delete all of the current focus areas descriptions under Focus Areas for FY16; and 4) Add four updated focus area topics to Focus Areas for FY16


No other changes have been made.


1)  Added to General Focus Areas Applicable to all FYs:


Real Time Mobile Authentication


Many mobile users, especially field operators and tactical users, require mobile devices to be unlocked or readily available at any time throughout the mission. Long passphrases can be difficult to remember and may require attention that directs their vision away from the battlefield. Unfortunately, leaving the devices unlocked poses a large security risk if the phones are lost or stolen. By leveraging the sensors on the device (ex. Camera, GPS, Accelerometer (Gate), Humidity, Temperature) along with new wearable technology (Blood pressure, Heart Beat, Body Temp) advanced policies can be created to authenticate the user with the mobile device and keep mission critical applications unlocked and ready to use. These policies should be dynamic and adapt to the environment of the user. For example, complete operations such as locking the device or in certain locations wiping the device entirely. The measures of effectiveness will measure will be measured on authentication false positive/negative rates, impacts to battery life, CPU performance, I/O performance and tactical use-cases.


2)  Delete from General Focus Areas Applicable to all FYs: Incorporate Enterprise Security Features into Mobile/Tactical Systems


3)  Delete from Focus Areas for FY 16 the following topics:


     a. Secure Data Containers
     b. Adaptive Filter Workflows
     c. Cross Domain Solution (CDS) Load Balancing and Failover
     d. Mobile Android Multi-Biometric Acquisition (MAMBA)


4)  Added to Focus Areas for FY 16:


Multi-Level-Security Mobile Secure Foundation


Currently we are tracking two major technical approaches for Multi-Level Security (MLS) on Commercial Off-The-Shelf (COTS) hardware running the Android ecosystem. The first approach utilizes a hypervisor to separate multiple virtual machines' operations within the secure device. The second utilizes Security Enhanced (SE) Android policy to separate (sets of) processes. Both of these efforts have disparate strengths and weaknesses, as measured by performance, battery life, boot and access times, and other metrics. Other technical approaches to achieve assured Multi Level Security operation within the Android ecosystem may also be viable, if they can be brought to a similar or higher degree of maturity as well as accomplishing the rest of the tasking by the end of this effort. This effort is to provide a secure foundation for additional development in mobile devices for multiple DoD/IC use cases. As such, the solution chosen must follow accreditation guidelines throughout the effort and ideally have zero outstanding technical issues which would preclude accreditation. Additionally, the chosen solution must adhere to the relevant portions of the Mobility Capability Package protection profiles and National Information Assurance Partnership (NIAP) guidelines. The architecture shall include components selected from the National Security Agency Commercial Solutions for Classified (CSfC) such as Data at Rest, Data in Transit, Mobile Device Management, etc. Finally, it is important that the solution be compatible with military needs for current and future tactical usage, including the continued usage of hardware peripherals. The successful solution will be based on commodity hardware, and ideally with commodity firmware utilizing hardware-based attestation (e.g. Trusted Platform Module (TPM), ARM TrustZone, Samsung KNOX, etc.) through the boot cycle and normal operation of the device. Solutions featuring custom operating systems and firmware are not ideal as they are expected to have higher procurement and maintenance costs and requirements, among other reasons. Measures of effectiveness will include the ability to integrate with existing technologies and abide by all of current and future NSA Mobility publications. The solution shall also adhere to strict requirements of battery life, CPU performance, I/O performance, boot-up times, and tactical application integration.


CDS High Availability


Cross Domain Solutions (CDS) are typically less resilient than our other information technology (IT). Today we can support CDS load balancing and failover via typical mechanisms if the CDS protocols support it. There are, however, multiple technical shortfalls that limit the usability of these techniques, including the inability to: provide CDS load information to commodity load balancers, maintain configuration synchronization between multiple CDS and the ability to detect and recover from CDS failure. The purpose of this effort is to develop techniques to address these CDS availability concerns. Measures of effectiveness will include extensibility of approach to multiple CDS, ability to integrate with off-the-shelf tools for load balancing, information assurance acceptability and efficient utilization of network bandwidth for communication between components.


Cross Domain Machine-to-Machine (M2M) Mediation Layer


A common approach to addressing cross domain information sharing requirements is cross-domain enablement of the underlying information technology (IT) that facilitates information sharing intra domain. Cross domain enablement of the machine-to-machine (M2M) protocols that support this IT is challenging because M2M protocols often have attributes that do not match typical CDS transfer characteristics. Some common examples include: non-atomic transactions (require more than one CDS transfer in order to complete), transactions that require ACK/NACK (CDS transfers are usually one way and may not provide failure notification) and transactions that are dependent upon one another (CDS are typically stateless and transfers are independent of one another). The purpose of this effort is to develop a mediation layer that can act as a foundation for M2M communications over a CDS. This mediation layer will be the integration point for specific protocol termination services (e.g. - DB transactions, Web Services) and would handle the necessary information management and CDS data flow understanding to map between M2M interface requirements and CDS transfer capabilities. Measures of effectiveness will include ease of integration with a new set of M2M data flows, native M2M protocol independence, ability to protect end system data integrity from CDS filtering issues, solution performance (throughput and latency) and ease of recovery when issues arise (e.g. - CDS is unavailable, CDS filters misconfigured and start failing transactions).


Dynamic Mobile Device Management (DMDM)


In order to provide secure containers for multiple compartments within mobile devices, a dynamic method to manage mobile devices using a secure Operating System (such as SE-Android) is required. This topic is to develop and demonstrate an innovative method for the management of such a device. This following management capabilities must be considered: support for multiple compartments on a single mobile platform, dividing each container into separate compartments, each with their own storage, key store, and applications; the ability to provide flexible policies for the communication of all applications with each other and the device; provide high-level enforcement of applications to operate as specified by policy within a container; provide typical device management which includes: user management, device lock-down, container isolation protection, tamper resistance, and remote management (including the ability to wipe the device if compromised); provide continual assessment of the devices security state and make appropriate actions when that state is compromised. The prototype delivered must incorporate as many of these capabilities as possible and demonstrate successful container separation, device and policy management, and attestation of device security. The solution must adhere to the relevant portions of the Mobility Capability Package protection profiles and National Information Assurance Partnership (NIAP) guidelines. The measures of effectiveness will be measured on application performance, agility to tactical low-no communication situations and the ability to integrate with components from the National Security Agency Commercial Solutions for Classified (CSfC) such as Data at Rest, Data in Transit, Mobile Device Management, etc.

Added: Dec 17, 2014 1:19 pm


The purpose of this modification is to correct the point of contact provided in modification to this FBO dated 21 Nov 2014 as follows:

    Revise the technical POC in SECTION VII - Agency Contacts.  The TPOC is deleted in its entirety and replaced with the following:

        Michael Mayhew
        AFRL/RIEBA
        525 Brooks Road
        Rome New York 13441-4505
        Telephone:  (315) 330-2898
        Email:  michael.mayhew.1@us.af.mil

No other changes are being made.


Added: Jan 09, 2015 10:52 am
The purpose of this modification is to republish the original announcement, incorporating all previous modifications, pursuant to FAR 35.016(c). This republishing also includes the following changes: (a) Section III.5: Add Paragraph 5 with information on the Government approved accounting system requirement; (b) Section IV.1: Added new URL for BAA Guide to Industry and the Proposal Preparation Instructions; (c) Section IV.2: Removed two reference to proposals. Directions are now specific to white papers (see Proposal Preparation Instructions for proposal guidance.); (d) Section IV.3: Revise submission dates for FY17 and FY18; (e) Section VII: Updated the AFFARS Clause 5352.201-9101 version.
 

No other changes have been made.


NAICS CODE: 541712


FEDERAL AGENCY NAME: Department of the Air Force, Air Force Material Command, AFRL-Rome Research Site, AFRL/Information Directorate, 26 Electronic Parkway, Rome NY 13441-4514


TITLE: Innovative Cross-domain Cyber Reactive Information Sharing (ICCyRIS)


ANNOUNCEMENT TYPE: Initial Announcement


FUNDING OPPORTUNITY NUMBER: BAA-RIK-14-02


CFDA NUMBER: 12.800


I. FUNDING OPPORTUNITY DESCRIPTION:


The Cross Domain Innovation & Science (CDIS) group of the Air Force Research Laboratory's Information Directorate is interested in new innovative technologies and capabilities, within the Multi-Level Security (MLS) and Cyber Security environments, that promote the state of the art for secure, accreditable resilient and reactive capabilities to enhance the sharing of information between multiple security domains within both enterprise and mobile/tactical environments.


This BAA focuses on developing new technologies to allow secure data sharing; trusted computing; smart routing; cyber defense; Multi-Level Security (MLS) trust at the tactical edge; and a comprehensive, multi-security domain, user-defined operational picture to effectively and efficiently improve the state-of-the-art for defense enterprise, cloud, and mobile/tactical computing/operations.


The goals of this BAA are to improve cross-domain information sharing in five distinct technology areas:


     1. Multi-Enclave/Multi-Domain Cyber User Defined Operational Picture (UDOP) - Extending enterprise status monitoring efforts and Cross Domain Solutions (CDSs) adaptability to meet greater operator need.
     2. High Risk Data Type Mitigation - Providing micro-virtualized ultra-high-risk content and investigations for malicious behavior before passing them to other security domains.
     3. Fine-Grained Grammar for Orchestration - Use of formal grammars for quick adaptation of workflows to meet changing mission/security/performance requirements.
     4. Content and Label Based Routing - Extending the trust provided at node and network environments to the information objects being passed to assure end-to-end trust in passing and delivering information to recipients.
     5. MLS Trust at the Edge - Extending the robustness and usability of MLS mobile and desktop endpoint technology to meet the critical needs of our mobile warriors.


General Focus Areas Applicable to all FYs:


Automatically Evaluate Video Streams for Cross-Domain Releasability: Perform an analysis of alternatives and incorporate the most mature systems into a prototype for evaluating the releasability of streaming data. This specifically includes but is not limited to speech-to-text, person recognition, and object recognition functionality plus system(s) to reason over the results of these functions.


Improved Security Through Virtualization: Utilize the broad swath of virtualization technologies to improve the state of the art of information assurance. Note also the related High Risk Binary Assessment Focus Area for FY 15 under this BAA, as well as the Secure Data Containers Focus Area for FY16.


Novel, Trustworthy Filtration: Improve the state of data filtration through the use of techniques and procedures either previously unexplored in filtration or completely novel. Note that adding a new filter for an already covered file type is much less interesting than the ability to add classes of file types which are otherwise unaddressed by filtration engines. Note also the related High Risk Binary Assessment Focus Area for FY15 under this BAA, as well as the Imagery to Text Focus Area for FY18.


Improved Orchestration Interfaces that don't require a "Man-in-the-Loop": Research and develop better automation of multiple data flows, each containing myriad functions and decision points, intended to affect large pools of data. This may be used in conjunction with various efforts such as the National Security Agency's (NSA's) Bray tool, Data Flow Configuration Format (DFCF), Guard Remote Management Protocol (GRMP), the CDS Management Information Base (MIB), and/or others. This capability includes the ability to demonstrate proposed changes against known pools of data, provide high level metrics regarding the original and changed results on those known pools of data, and to allow the user to drill down into greater, granular detail on the metrics as needed. These interfaces should not assume any particular degree of knowledge for users beyond a general computer use competency, and must ensure users' identity and authorization via appropriate methods.


Improved Machine-to-Machine Automation: Many cross domain links are established between automated systems for various purposes. There are large swaths of commonality across most of these links. Build tools to leverage unmodified CDSs from the Unified Cross Domain Management Office (UCDMO) baseline to better meet the need for creating similar links in the future.


Improved Commodity Multi-Level Security (MLS) Networking: Create networking capable of mandatory access control (MAC) for content, locations and users marked, approved and operating at different levels of classification (plus releasability, caveats, and other security-relevant markings) utilizing commodity hardware, operating systems, software and infrastructure as much as practical. Complete redevelopment/replacement of existing networking infrastructure and endpoints is explicitly outside the scope of this effort.


CAC Authentication via MicroSD Certificate Storage: Commercial mobile devices on their own, with standard configuration, are not secure enough for government use. However, to save money, many agencies are looking to leverage them. This poses a challenge for securing government/sensitive data access by the device user, while maintaining all the functionality of the commercial device itself. One approach is to utilize micro/nano Secure Digital (SD) cards to provide secure storage of access certificates. Phase one of this focus area will develop a secure, "read only" certificate store utilizing the Micro and Nano SD card form factors for use in physically unmodified Commercial-Off-The-Shelf (COTS) Mobile Platforms. Software applications may be modified or created in order to demonstrate the functionality. The second phase of this focus area will test the proposed solution against real world scenarios utilizing life-like certificate data to ascertain robustness against published Security Technical Implementation Guides (STIGS).


Securing Commercial Off-The-Shelf (COTS) Mobile Device Common Access Card (CAC) Authentication via Near-Field Communication (NFC): Several COTS mobile devices feature NFC capabilities. Concurrently, there are requirements for warfighters to authenticate on computing resources with their Common Access Card (CAC). Unfortunately, physical external readers for CACs are unwieldy extensions to mobile devices. As such, there may be an opportunity to investigate utilizing the COTS NFC capabilities assuming they meet or exceed the security requirements accomplished by the physical readers. Given the repeated demonstrations given at most modern Black Hat events exploiting COTS NFC capabilities in many various ways, skepticism as to these devices' security capabilities will need to be assuaged and demonstrated as mitigated appropriately for operationally meaningful situations. Additionally, the demonstrated solution has additional challenges: It must be able to prevent unauthorized access to sensitive data provided via CAC PKI capabilities, it must securely account for users with multiple credentials and access their existing certificates within appropriate networks (as in Global Access List, Lightweight Directory Access Protocol (LDAP)/ Active Directory (AD), etc.), must have a segregation capability if malicious code is detected, and allow for appropriate persistence of user authentication even after the device and NFC tag are outside of scanning range.


Real Time Mobile Authentication: Many mobile users, especially field operators and tactical users, require mobile devices to be unlocked or readily available at any time throughout the mission. Long passphrases can be difficult to remember and may require attention that directs their vision away from the battlefield. Unfortunately, leaving the devices unlocked poses a large security risk if the phones are lost or stolen. By leveraging the sensors on the device (ex. Camera, GPS, Accelerometer (Gate), Humidity, Temperature) along with new wearable technology (Blood pressure, Heart Beat, Body Temp) advanced policies can be created to authenticate the user with the mobile device and keep mission critical applications unlocked and ready to use. These policies should be dynamic and adapt to the environment of the user. For example, complete operations such as locking the device or in certain locations wiping the device entirely. The measures of effectiveness will measure will be measured on authentication false positive/negative rates, impacts to battery life, CPU performance, I/O performance and tactical use-cases.


Focus Areas for FY15:


High Risk Binary Assessment: Demonstrate a capability to automate invocation of potentially malicious content within a secure environment (such as a sandbox, virtual machine, or ‘detonation chamber'). This capability should include scripting some appropriate number of user actions within commodity, unmodified applications and monitoring the environment for malicious or unexpected behaviors. The solution should incorporate both signature based detection of suspect behaviors as well as aberrant behavior based on a learned fingerprint of the normal functioning of the consuming application(s) within the environment. For example, if a given application doesn't normally generate alternate data streams within Windows, then generating an alternate data steam upon opening a new file in that application should be flagged. Integrity of the mechanisms that identify these unexpected behaviors must be protected from tampering or observation from within the secure environment. The solution shall also include one or more ways to adapt to new exercising applications and steps within the secure environment to either extend inspection of current file types supported and/or to offer support for new file types. In the final version delivered, no particular degree of knowledge beyond a general computer use competency should be expected from operators or those who adapt the system in the aforementioned manner(s).


Situational Awareness of End-to-End Multi-level Information Flow: NSA's Cross Domain Solution Management Information Base (CDS-MIB) is a CDS-independent mechanism used to report including flow performance, errors, and other various metrics related to CDS health and status. This is only part of the picture that is necessary to efficiently be aware of the true multi-level information flow picture. The addition of information pertaining to CDS support devices such as external filtering appliances, CDS pre-processors, mission applications that leverage CDS and other IT integral to cross domain services (e.g., identity management, email infrastructure) is intended to enhance end-to-end situational awareness. This will increase situation awareness of all CDSs on the network, provide more insight into network status and services status, and provide opportunity for further integration with other activities, to include prior CDIS run efforts such as Audit-Based Sensing & Protection (ASP) and Behavior Based Risk Assurance (BBRA). Once this capability is developed, other capabilities can use the information to include load balancers and automatic failover.


Dynamic Mobile Device Management (DMDM): In order to provide secure containers for multiple compartments within mobile devices, a dynamic method to manage mobile devices using a secure Operating System (such as SE-Android) is required. This topic is to develop and demonstrate an innovative method for the management of such a device. This following management capabilities must be considered : support for multiple compartments on a single mobile platform, dividing each container into separate compartments, each with their own storage, keystore, and applications; the ability to provide flexible policies for the communication of all applications with each other and the device; provide high-level enforcement of applications to operate as specified by policy within a container; provide typical device management which includes: user management, device lock-down, container isolation protection, tamper resistance, and remote management (including the ability to wipe the device if compromised); provide continual assessment of the devices security state and make appropriate actions when that state is compromised. The prototype delivered must incorporate as many of these capabilities as possible and demonstrate successful container separation, device and policy management, and attestation of device security.


Focus Areas for FY 16:


Multi-Level-Security Mobile Secure Foundation: Currently we are tracking two major technical approaches for Multi-Level Security (MLS) on Commercial Off-The-Shelf (COTS) hardware running the Android ecosystem. The first approach utilizes a hypervisor to separate multiple virtual machines' operations within the secure device. The second utilizes Security Enhanced (SE) Android policy to separate (sets of) processes. Both of these efforts have disparate strengths and weaknesses, as measured by performance, battery life, boot and access times, and other metrics. Other technical approaches to achieve assured Multi Level Security operation within the Android ecosystem may also be viable, if they can be brought to a similar or higher degree of maturity as well as accomplishing the rest of the tasking by the end of this effort. This effort is to provide a secure foundation for additional development in mobile devices for multiple DoD/IC use cases. As such, the solution chosen must follow accreditation guidelines throughout the effort and ideally have zero outstanding technical issues which would preclude accreditation. Additionally, the chosen solution must adhere to the relevant portions of the Mobility Capability Package protection profiles and National Information Assurance Partnership (NIAP) guidelines. The architecture shall include components selected from the National Security Agency Commercial Solutions for Classified (CSfC) such as Data at Rest, Data in Transit, Mobile Device Management, etc. Finally, it is important that the solution be compatible with military needs for current and future tactical usage, including the continued usage of hardware peripherals. The successful solution will be based on commodity hardware, and ideally with commodity firmware utilizing hardware-based attestation (e.g. Trusted Platform Module (TPM), ARM TrustZone, Samsung KNOX, etc.) through the boot cycle and normal operation of the device. Solutions featuring custom operating systems and firmware are not ideal as they are expected to have higher procurement and maintenance costs and requirements, among other reasons. Measures of effectiveness will include the ability to integrate with existing technologies and abide by all of current and future NSA Mobility publications. The solution shall also adhere to strict requirements of battery life, CPU performance, I/O performance, boot-up times, and tactical application integration.


CDS High Availability: Cross Domain Solutions (CDS) are typically less resilient than our other information technology (IT). Today we can support CDS load balancing and failover via typical mechanisms if the CDS protocols support it. There are, however, multiple technical shortfalls that limit the usability of these techniques, including the inability to: provide CDS load information to commodity load balancers, maintain configuration synchronization between multiple CDS and the ability to detect and recover from CDS failure. The purpose of this effort is to develop techniques to address these CDS availability concerns. Measures of effectiveness will include extensibility of approach to multiple CDS, ability to integrate with off-the-shelf tools for load balancing, information assurance acceptability and efficient utilization of network bandwidth for communication between components.


Cross Domain Machine-to-Machine (M2M) Mediation Layer: A common approach to addressing cross domain information sharing requirements is cross-domain enablement of the underlying information technology (IT) that facilitates information sharing intra domain. Cross domain enablement of the machine-to-machine (M2M) protocols that support this IT is challenging because M2M protocols often have attributes that do not match typical CDS transfer characteristics. Some common examples include: non-atomic transactions (require more than one CDS transfer in order to complete), transactions that require ACK/NACK (CDS transfers are usually one way and may not provide failure notification) and transactions that are dependent upon one another (CDS are typically stateless and transfers are independent of one another). The purpose of this effort is to develop a mediation layer that can act as a foundation for M2M communications over a CDS. This mediation layer will be the integration point for specific protocol termination services (e.g. - DB transactions, Web Services) and would handle the necessary information management and CDS data flow understanding to map between M2M interface requirements and CDS transfer capabilities. Measures of effectiveness will include ease of integration with a new set of M2M data flows, native M2M protocol independence, ability to protect end system data integrity from CDS filtering issues, solution performance (throughput and latency) and ease of recovery when issues arise (e.g. - CDS is unavailable, CDS filters misconfigured and start failing transactions).


Dynamic Mobile Device Management (DMDM): In order to provide secure containers for multiple compartments within mobile devices, a dynamic method to manage mobile devices using a secure Operating System (such as SE-Android) is required. This topic is to develop and demonstrate an innovative method for the management of such a device. This following management capabilities must be considered: support for multiple compartments on a single mobile platform, dividing each container into separate compartments, each with their own storage, key store, and applications; the ability to provide flexible policies for the communication of all applications with each other and the device; provide high-level enforcement of applications to operate as specified by policy within a container; provide typical device management which includes: user management, device lock-down, container isolation protection, tamper resistance, and remote management (including the ability to wipe the device if compromised); provide continual assessment of the devices security state and make appropriate actions when that state is compromised. The prototype delivered must incorporate as many of these capabilities as possible and demonstrate successful container separation, device and policy management, and attestation of device security. The solution must adhere to the relevant portions of the Mobility Capability Package protection profiles and National Information Assurance Partnership (NIAP) guidelines. The measures of effectiveness will be measured on application performance, agility to tactical low-no communication situations and the ability to integrate with components from the National Security Agency Commercial Solutions for Classified (CSfC) such as Data at Rest, Data in Transit, Mobile Device Management, etc.


Focus Areas for FY 17:


On-Demand Cross Domain Solution (CDS) Filtering: Provide a trustworthy mechanism to securely store, deliver, and deploy new filters into CDSs on demand. The intent is to develop a new or extend an existing agnostic Application Programmer's Interface (API) to allow multiple disparate transfer CDSs to interrogate one or more trusted store(s) for filters to be secure delivered in near-real-time, and to provide a reference implementation for that trusted store. This is intended to allow CDSs to adapt to changing workload requirements and threat environments. If the CDS already contains a similar capability or partial capability, it is expected that this API will wrapper them rather than redeveloping.


Enhance Logic and Visualization for Enterprise Capabilities: Extend the ability to monitor one or more transfer Cross Domain Solutions (CDSs) beyond prior efforts' scope by incorporating business logic through a reasoning engine to examine the data collected and stored via CDS-MIB, SNMP & perhaps alternate sources as well as performing trend analysis across this information. This would be expected to be able to automatically suggest and/or enforce reporting and warning thresholds to alert responsible parties via Simple Network Management Protocol (SNMP) (for integration with enterprise management & alert systems), email and/or text to abnormal activity with respect to the CDSs' normal functioning. Given other previously developed tools, this developed capability might be expected to automatically react to incoming data and alter one or more CDSs' operational posture, either to ensure operational goals and/or reduce data exfiltration/malware infiltration.


Mobile MLS Cross Domain XML Routing: Evaluate existing XML data tagging standards for use in both IP-based wired networks and wireless mobile networking environments, both for traditional tagging roles and also in support of cross security domain routing decisions. Publish this evaluation in order to gather feedback and consensus and hopefully drive standardization across DoD/IC and eventually the mobile industry. Finally, develop a prototype that enables standardized cross domain routing originating and/or ending on a mobile platform.


Advanced File Typing: Perform best of breed Analysis of Alternatives between deep content inspection and/or file parsing capabilities such as Apache Tika, Data Format Description Language (DFDL), and similar. Using the best of breed, create a prototype to perform deep content inspection of files to detect and/or extract metadata, binary blobs and/or structured text content to properly & fully identify file types (Multipurpose Internet Mail Extension (MIME) types). Develop with common programmatic API calls plus appropriate web service interfaces and NSA's Filter Componentization Effort (FCE) specification. Test and evaluate performance and reliability of file type identification. Include edge cases such as polymorphism, spoofing, multiple file type compatibilities, and container file types.


Focus Areas for FY 18:


Imagery to Text: In order to better meet warfighter operational needs, perform an Analysis of Alternatives on commercial, open source and Government Off-The-Shelf (GOTS) tools which provide Optical Character Recognition (OCR) and related capabilities. Include analysis on cost, performance, hardware requirements, accuracy (false positive / false negative rates), and other relevant features. Use the highest rated alternative to generate raw text files from multiple (3+) disparate imagery file and/or streaming formats. Create interfaces to feed output to other processes such as the Filter Componentization Effort (FCE) specification among other relevant specifications. Ensure the product provides appropriate levels of auditing and meets relevant assurance requirements.


II. AWARD INFORMATION:


Total funding for this BAA is approximately $24 M. The anticipated funding to be obligated under this BAA is broken out by fiscal year as follows: FY 15 - $6M; FY 16 - $6M; FY 17 - $6M; FY 18 - $6M. Individual awards will not normally exceed 36 months with dollar amounts normally ranging between $250K to $500K per year. There is also the potential to make awards up to any dollar value. Awards of efforts as a result of this announcement will be in the form of contracts, grants or cooperative agreements or other transactions depending upon the nature of the work proposed. The Government reserves the right to select all, part, or none of the proposals received, subject to the availability of funds. All potential Offerors should be aware that due to unanticipated budget fluctuations, funding in any or all areas may change with little or no notice.


III. ELIGIBILITY INFORMATION:


1. ELIGIBLE APPLICANTS:


All qualified offerors who meet the requirements of this BAA may apply.


This BAA is closed to foreign participation at the Prime Contractor level.


Foreign Ownership, Control or Influence (FOCI) companies who have mitigated FOCI may inquire as to eligibility by contacting the contracting office focal point, Gail E. Marsh, Contracting Officer, telephone (315) 330-7518 or e-mail Gail.Marsh@us.af.mil for verification prior to submitting a white paper. Please reference BAA RIK-14-02.


2. COST SHARING OR MATCHING: Cost sharing is not a requirement.


3. System for Award Management (SAM). Offerors must be registered in the SAM database to receive a contract award, and remain registered during performance and through final payment of any contract or agreement. Processing time for registration in SAM, which normally takes forty-eight hours, should be taken into consideration when registering. Offerors who are not already registered should consider applying for registration before submitting a proposal.


4. Executive Compensation and First-Tier Sub-contract/Sub-recipient Awards: Any contract award resulting from this announcement may contain the clause at FAR 52.204-10 - Reporting Executive Compensation and First-Tier Subcontract Awards. Any grant or agreement award resulting from this announcement may contain the award term set forth in 2 CFR, Appendix A to Part 25 http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=c55a4687d6faa13b137a26d0eb436edb&rgn=div5&view=
text&node=2:1.1.1.41&idno=2#2:1.1.1.4.1.2.1.1


5. GOVERNMENT APPROVED ACCOUNTING SYSTEM: An offeror must have a government approved accounting system prior to award of a cost-reimbursement contract per limitations set forth in FAR 16.301-3(a) to ensure the system is adequate for determining costs applicable to the contract. The acceptability of an accounting system is determined based upon an audit performed by the Defense Contract Audit Agency (DCAA). IMPORTANT: If you do not have a DCAA approved accounting system access the following link for instructions: https://www.fbo.gov/index?s=opportunity&mode=form&id=1cffad228f48b58057072a6c9113799d
&tab=core&_cview=1


IV. APPLICATION AND SUBMISSION INFORMATION:


1. APPLICATION PACKAGE: THIS ANNOUNCEMENT CONSTITUTES THE ONLY SOLICITATION. WE ARE SOLICITING WHITE PAPERS ONLY. DO NOT SUBMIT A FORMAL PROPOSAL AT THIS TIME.


Those white papers found to be consistent with the intent of this BAA may be invited to submit a technical and cost proposal, see Section VI of this announcement for further details.


For additional information, a copy of the AFRL "Broad Agency Announcement (BAA): Guide for Industry," May 2012, and Proposal Preparation Instructions, Dec 2014, may be accessed at: https://www.fbo.gov/index?s=opportunity&mode=form&id=1cffad228f48b58057072a6c9113799d
&tab=core&_cview=1


2. CONTENT AND FORM OF SUBMISSION: Offerors are required to submit 3 copies of a 3 to 5 page white paper summarizing their proposed approach/solution. The purpose of the white paper is to preclude unwarranted effort on the part of an offeror whose proposed work is not of interest to the Government.


The white paper will be formatted as follows: Section A: Title, Period of Performance, Estimated Cost, Name/Address of Company, Technical and Contracting Points of Contact (phone, fax and email)(this section is NOT included in the page count); Section B: Task Objective; and Section C: Technical Summary and Proposed Deliverables. Multiple white papers within the purview of this announcement may be submitted by each offeror. If the offeror wishes to restrict its white papers, they must be marked with the restrictive language stated in FAR 15.609(a) and (b). All white papers shall be double spaced with a font no smaller than 12 pitch. In addition, respondents are requested to provide their Commercial and Government Entity (CAGE) number, their Dun & Bradstreet (D&B) Data Universal Numbering System (DUNS) number, a fax number, an e-mail address, and reference BAA-RIK-14-02 with their submission. All responses to this announcement must be addressed to the technical POC, as discussed in paragraph six of this section.


3. SUBMISSION DATES AND TIMES: It is recommended that white papers be received by the following dates to maximize the possibility of award: FY 15 by 30 Jan 14 and FY 16 by 15 Jan 15, FY 17 by 31 Jan 16, FY 18 by 31 Jan 17. White papers will be accepted until 2pm Eastern time on 30 September 2018, but it is less likely that funding will be available in each respective fiscal year after the dates cited. FORMAL PROPOSALS ARE NOT BEING REQUESTED AT THIS TIME.


4. FUNDING RESTRICTIONS: The cost of preparing white papers/proposals in response to this announcement is not considered an allowable direct charge to any resulting contract or any other contract, but may be an allowable expense to the normal bid and proposal indirect cost specified in FAR 31.205-18. Incurring pre-award costs for ASSISTANCE INSTRUMENTS ONLY are regulated by the DoD Grant and Agreements Regulations (DODGARS).


5. All Proposers should review the NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING MANUAL, (NISPOM), dated February 28, 2006 as it provides baseline standards for the protection of classified information and prescribes the requirements concerning Contractor Developed Information under paragraph 4-105. Defense Security Service (DSS) Site for the NISPOM is: http://www.dss.mil/.


6. OTHER SUBMISSION REQUIREMENTS: DO NOT send white papers to the Contracting Officer.


All responses to this announcement must be addressed to:


ATTN: Michael J. Mayhew
AFRL/RIEBA
ICCyRIS BAA: BAA-RIK-14-02
525 Brooks Road
Rome, NY 13441-4505


Electronic submission to Michael.Mayhew.1@us.af.mil will also be accepted.


In the event of a possible or actual compromise of classified information in the submission of your white paper or proposal, immediately but no later than 24 hours, bring this to the attention of your cognizant security authority and AFRL Rome Research Site Information Protection Office (IPO):


Vincent Guza
315-330-4048 0730-1630 Monday-Friday
315-330-2961 Evenings and Weekends
Email: vincent.guza@us.af.mil


V. APPLICATION REVIEW INFORMATION:


1. CRITERIA: The following criteria, which are listed in descending order of importance, will be used to determine whether white papers and proposals submitted are consistent with the intent of this BAA and of interest to the Government: (1) Overall Scientific and Technical Merit -- Including the degree of innovation for the approach and the use of innovative modern architectures in development and/or enhancement of the proposed technology; the use of analysis, metrics & testing and adherence to Information Assurance and Cross-Domain best practices, (2) Related Experience - The extent to which the offeror demonstrates relevant technology and domain knowledge and experience within cross-domain environments, (3) Openness, Maturity & Assurance of Solution - The extent to which existing capabilities and standards are leveraged and the relative maturity of the proposed technology in terms of degree of Information Assurance and Cross-Domain standards implemented, and (4) Reasonableness and Realism of proposed costs and fees (if any). No further evaluation criteria will be used in selecting white papers/proposals. Individual white paper/proposal evaluations will be evaluated against the evaluation criteria without regard to other white papers and proposals submitted under this BAA. White papers and proposals submitted will be evaluated as they are received.


2. REVIEW AND SELECTION PROCESS: Only Government employees will evaluate the white papers/proposals for selection. The Air Force Research Laboratory's Information Directorate has contracted for various business and staff support services, some of which require contractors to obtain administrative access to proprietary information submitted by other contractors. Administrative access is defined as "handling or having physical control over information for the sole purpose of accomplishing the administrative functions specified in the administrative support contract, which do not require the review, reading, or comprehension of the content of the information on the part of non-technical professionals assigned to accomplish the specified administrative tasks." These contractors have signed general non-disclosure agreements and organizational conflict of interest statements. The required administrative access will be granted to non-technical professionals. Examples of the administrative tasks performed include: a. Assembling and organizing information for R&D case files; b. Accessing library files for use by government personnel; and c. Handling and administration of proposals, contracts, contract funding and queries. Any objection to administrative access must be in writing to the Contracting Officer and shall include a detailed statement of the basis for the objection.


3. The Government may simultaneously evaluate proposals received under this BAA from multiple offerors. In this case, the Government may make award based on adequate price competition, and offerors must be aware that there is a possibility of non-selection due to a proposal of similar but higher-priced technical approach as compared to another offeror.


VI. AWARD ADMINISTRATION INFORMATION:


1. AWARD NOTICES: Those white papers found to be consistent with the intent of this BAA may be invited to submit a technical and cost proposal. Notification by email or letter will be sent by the technical POC. Such invitation does not assure that the submitting organization will be awarded a contract. Those white papers not selected to submit a proposal will be notified in the same manner. Prospective offerors are advised that only Contracting Officers are legally authorized to commit the Government.


All offerors submitting white papers will be contacted by the technical POC, referenced in Section VII of this announcement. Offerors can email the technical POC for status of their white paper/proposal no earlier than 45 days after submission.


2. ADMINISTRATIVE AND NATIONAL POLICY REQUIREMENTS: Depending on the work to be performed, the offeror may require a Secret or Top Secret facility clearance and safeguarding capability; therefore, personnel identified for assignment to a classified effort must be cleared for access to Secret or Top Secret information at the time of award. In addition, the offeror may be required to have, or have access to, a certified and Government-approved facility to support work under this BAA. This acquisition may involve data that is subject to export control laws and regulations. Only contractors who are registered and certified with the Defense Logistics Information Service (DLIS) at http://www.dlis.dla.mil/jcp/ and have a legitimate business purpose may participate in this solicitation. For questions, contact DLIS on-line at http://www.dlis.dla.mil/jcp or at the DLA Logistics Information Service, 74 Washington Avenue North, Battle Creek, Michigan 49037-3084, and telephone number 1-800-352-3572. You must submit a copy of your approved DD Form 2345, Militarily Critical Technical Data Agreement, with your proposal.


3. DATA RIGHTS: The potential for inclusion of Small Business Innovation Research (SBIR) or data rights other than unlimited on awards is recognized. In accordance with (IAW) the Small Business Administration (SBA) SBIR Policy Directive, Section 8(b), SBIR data rights clauses are non-negotiable and must not be the subject of negotiations pertaining to an award, or diminished or removed during award administration. Issuance of an award will not be made conditional based on forfeit of data rights. If the SBIR awardee wishes to transfer its SBIR data rights to the Air Force or to a third party, it must do so in writing under a separate agreement. A decision by the awardee to relinquish, transfer, or modify in any way its SBIR data rights must be made without pressure or coercion by the agency or any other party. Non-SBIR data rights less than unlimited will be evaluated and negotiated on a case-by-case basis. Government Purpose Rights are anticipated for data developed with DoD-reimbursed Independent Research and Development (IR&D) funding.


4. REPORTING: Once a proposal has been selected for award, offerors will be given complete instructions on the submission process for the reports.


VII. AGENCY CONTACTS:


Questions of a technical nature shall be directed to the cognizant technical point of contact, as specified below:
Michael Mayhew
AFRL/RIEBA
525 Brooks Road
Rome New York 13441-4505
Telephone: (315) 330-2898
Email: michael.mayhew.1@us.af.mil


Questions of a contractual/business nature shall be directed to the cognizant contracting officer, as specified below (emails are preferred):


Gail E. Marsh
Telephone (315) 330-7518
Email: Gail.Marsh@us.af.mil


The email must reference the solicitation (BAA) number and title of the acquisition.


In accordance with AFFARS 5301.91, an Ombudsman has been appointed to hear and facilitate the resolution of concerns from offerors, potential offerors, and others for this acquisition announcement. Before consulting with an ombudsman, interested parties must first address their concerns, issues, disagreements, and/or recommendations to the contracting officer for resolution. AFFARS Clause 5352.201-9101 Ombudsman (Apr 2014) will be incorporated into all contracts awarded under this BAA.


The AFRL Ombudsman is as follows:


Ms. Barbara Gehrs
AFRL/PK
1864 4th Street
Building 15, Room 225
Wright-Patterson AFB OH 45433-7130
FAX: (937) 656-7321; Comm: (937) 904-4407
Email: barbara.gehrs@us.af.mil


All responsible organizations may submit a white paper which shall be considered.


 

Added: May 20, 2015 7:15 am
BAA- RIK-14-02, Amendment 7

The purpose of this amendment is to make the following change: In SECTION I, "Funding Opportunity Description" add a new Focus Area for FY16 as identified below. NOTE: This focus area has a special submission date of 24 Jun 2015.


No other changes have been made.


1. The following is a new paragraph added under Funding Opportunity Description in Focus Areas for FY16:


Second Focus Area for FY16:


Applied Open Systems Development Techniques for C4I Trusted MLS Platforms:

Further the state of the art of new and existing innovative technologies and explore other potential COTS / GOTS capabilities that address the challenges of improved security, resiliency and agility through integration of novel Open Systems technologies into modernized systems of record. Research and develop new Open Architecture technologies through studies, analysis, engineering, design, development, prototype testing, demonstration and integration of new and existing technologies. Improve secure information sharing within and among multiple security domains from the enterprise to the tactical/mobile user which includes overall cyber security capabilities for evolving multi-level solutions for the monitoring and management of their overall security environment and ecosystem. Leverage system requirements, combined with current socio-political considerations in relevant areas of responsibility to create realistic use cases and demonstration scripts for use in exercising solutions and capabilities. Topic ensures a cohesive approach to addressing the MLS solutions lifecycle; from idea to proof of concept/realistic prototype to integration and testing of new technology within live and simulated environments.


The Submission Date for this focus area only - Applied Open Systems Development Techniques for C4I Trusted MLS Platforms - is 24 Jun 15.

:
26 Electronic Parkway
Rome, New York 13441-4514
United States
:
Gail E. Marsh,
Contracting Officer
Phone: 315-330-7518