pem-dev readers may find the following announcement of interest in terms of
summarizing the current direction of applied research in computer and
network security.
-Rob-
Regards, -Rob- Robert W. Shirey SHIREY(_at_)MITRE(_dot_)ORG
tel 703.883.7210, sec 703.883.5749, fax 703.883.1397
Info. Security Div., The MITRE Corp., Mail Stop Z231
7525 Colshire Drive, McLean, Virginia 22102-3481 USA
------- Forwarded Message
*******************************************************************
Due to the possibility of transcription errors, the official CBD [that
means the Commerce Business Daily, a U.S. Government publication]
announcement takes precedence over this transcription in any
disagreement between the two. The transcription is provided for your
convenience only.
=================================================
DATE 950119
Advanced Research Projects Agency (ARPA), Contracts Management Office (CMO),
3701 North Fairfax Drive, Arlington, VA 22203-1714
BROAD AGENCY ANNOUNCEMENT:
INFORMATION SYSTEM SECURITY SOL BAA95-15
DUE 041795
POC Teresa F. Lunt, ARPA/CSTO, POC, FAX: (703)522-2668.
The Advanced Research Projects Agency (ARPA) is soliciting proposals for
research in various aspects of computer and network security, to create and
integrate advanced security technologies for the DII, NII, National Challenge
problems, and defense uses. This solicitation is part of a larger strategy for
developing technology for defensive information warfare.
Proposals are sought that address one or more of the following areas:
1) Infrastructure Protection:
Proposals are sought to develop prototypes of security mechanisms, value-added
security services, packet and cell encryption techniques, and seamlessly
integrated security in mobile, high-data-rate, multimedia, network
technologies. Of interest are the creation of modular value-added security
services such as authentication, authorization, auditing and audit analysis,
security management, nonrepudiation, and anonymity, and the redesign of network
protocols to remove known security weaknesses, especially vulnerability to
malicious denial of service attacks. In addition, research prototypes are
sought for a protected infrastructure for key management that could support
both symmetric and asymmetric keying needed by secure applications and network
services. As a complementary method to other protection schemes, ARPA also is
interested in research into packet and cell encryption devices and techniques.
Proposed encryption devices should support performance ranges up to 10
gigabit/second and 10 megapacket/second, a variety of addressing schemes
(unicast and multicast), and modularly replaceable cryptographic services, and
should interface to a variety of network technologies. For all of the above,
approaches that include multiparty software key escrow as a key management
function are encouraged. Where appropriate, research should be applicable to
unicast, broadcast, and dynamic group (multicast) communications and
specifically address the problem of interoperability of various plausible
security infrastructures. Specific deliverables may include libraries or
toolkits with standard interfaces for linking security functions and services
to applications.
Technical POC: Teresa F. Lunt, Michael StJohns
2) Protection of End-systems:
ARPA is seeking technology to allow geographically separated parts of an
organization to interact as if they shared a common security perimeter.
Approaches should allow uniform system-wide security policies to be enforced,
and should provide a high degree of resistance to attack while providing
greater interoperability with applications. Of special interest is research
and prototyping of firewalls, technologies to support secure distributed
applications across heterogeneous platforms, secure configuration controls,
and security administration tools. Approaches should allow a variety of
organization-specific security policies to be defined and enforced and allow
for varying degrees of configurable assurance. Security prototypes may be
integrated into standard or emerging systems or be at the core of new
technology. Proposals are encouraged in the area of generating and linking
policy-enforcement derived from high-level expression of security policy,
constraints, and requirements into specific applications. Also of interest is
technology to allow system components or devices to be mutually authenticated
to provide secure configuration. Proposals regarding security management
technology should result in efficient and scalable tools allowing
administrators of large systems to assess their systems' vulnerabilities, to
bring their systems into compliance with any given set of security
requirements, to remotely monitor systems for security compliance, and to
quickly assess and correct damage from security incidents. Proposals for
end-system protection through appropriate design and function of operating
systems and services are strongly encouraged, proposals for work in the area
of
operating systems and services should be submitted through the forthcoming
companion BAA on Scalable Systems and Software.
Technical POC: Teresa F. Lunt, Glenn Ricart
3) Assurance:
Proposals are sought for prototype experimental system structuring languages,
analysis methods, and systems development tools and development environment to
express the structure of information systems, reason about their security and
other properties, and allow efficient and secure implementations. The proposed
approach should be capable of expressing modular operating system structures,
networking and other system services, and distributed information system
protocols including those providing security services. Approaches that also
address system hardware levels and their integration into higher-level system
structures are also desired. Proposed projects should be based on well-founded
languages which include abstraction mechanisms suitable for expressing and
reasoning about complex system structures. Reuse of current methodologies and
tools is encouraged where possible. Approaches are encouraged to integrate
security tools and assurance methods into existing or emerging automated
programming support environments. Demonstration of the approach on
state-of-the-art security systems and an assessment of the degree of increased
security achieved is encouraged. Proposals are also sought for metrics,
evaluation techniques, and tools for quantitative assessment of system
security or strength against attack.
Technical POC: Teresa F. Lunt, John Salasin
PROGRAM SCOPE
Proposed research should investigate innovative, scalable approaches that lead
to or enable revolutionary advances in the state of the art. Specifically
excluded is research which primarily results in evolutionary improvement to
the existing state of practice or focuses on a specific system or hardware
solution. Topics are not limited to those outlined above. When appropriate,
new concepts are to be demonstrated by means of prototypes or reference
implementations. Proposals may range from small-scale efforts that are
primarily theoretical in nature, to medium-scale experimental and prototyping
efforts of hardware and/or software, to larger-scale integrated systems
efforts. The target computing environment includes wireless and mobile
platforms as well as fixed-location hosts. Proposals may involve other
research groups or industrial cooperation and cost sharing. Collaborative
efforts and teaming are encouraged. Technologies which have a broad impact
will be given
highest priority. Proposals will be considered in each of the above areas as
well as across multiple areas.
Proposers are strongly encouraged to include tasks that evaluate the security
of their resulting prototypes under realistic scenarios. Remaining
vulnerabilities of proposed approaches should be identified, and proposers are
encouraged to include techniques for the detection of attacks that exploit
those weaknesses. Proposals should identify opportunities for technology
transfer within the commercial marketplace and employ evolutionary concepts to
allow their approaches to maintain currency with emerging technology.
Scalable, efficient, and interoperable approaches are encouraged.
ARPA does not advocate or endorse the use of any particular cryptographic
algorithm or cryptographic system. Proposals involving the use of cryptography
must be modular and independent of encryption algorithm, allowing replacement
with other algorithms, and employing two or more algorithms if possible.
Development of cryptographic algorithms or cryptoanalytic attacks is not
within scope of this solicitation.
Some Government Furnished Equipment and Information (GFE) in the form of
FORTEZZA cryptographic cards and PCMCIA card readers (up to 5 per contract),
the FORTEZZA C library and device drivers (for selected platforms only), and
the FORTEZZA Applications Developers Guide may be available, but ARPA does not
guarantee its availability. It is also anticipated that GFE software
cryptography will become available during the course of projects awarded under
this BAA. Proposers may request the use of such GFE, but must describe
alternatives they would use in the event this GFE is not available.
GENERAL INFORMATION
In order to minimize unnecessary effort in proposal preparation and review,
proposers are strongly encouraged to submit brief proposal abstracts in advance
of full proposals. An original and three (3) copies of the proposal abstract
must be submitted to
ARPA/CSTO,
3701 North Fairfax Drive,
Arlington, VA 22203-1714,
(ATTN: BAA 95-15)
on or before 4:00 PM, February 17, 1995. Proposal abstracts received after this
date may not be reviewed. Upon review, ARPA will provide written feedback on
the likelihood of a full proposal being selected.
Proposers must submit an original and four (4) copies of full proposals by
4:00 PM, April 17, 1995,
in order to be considered. Proposers must obtain a pamphlet, BAA 95-15 Proposer
Information, which provides further information on the submission, evaluation,
funding processes, proposal and proposal abstract formats. This pamphlet may
be obtained by fax, electronic mail, or mail request to the administrative
contact address given below, as well as at URL address
http://www.csto.arpa.mil/Solicitations.
Proposals not meeting the format described in the pamphlet may not be reviewed.
This notice, in conjunction with the pamphlet BAA 95-15 Proposer Information,
constitutes the total BAA. No additional information is available, nor will a
formal RFP or other solicitation regarding this announcement be issued.
Requests for same will be disregarded. The Government reserves the right to
select for award all, some, or none of the proposals received. All responsible
sources capable of satisfying the Government's needs may submit a proposal
which shall be considered by ARPA. Historically Black Colleges and Universities
(HBCU) and Minority Institutions (MI) are encouraged to submit proposals and
join others in submitting proposals, however, no portion of this BAA will be
set aside for HBCU and MI participation due to the impracticality of reserving
discrete or severable areas of information security research.
Evaluation of proposals will be accomplished through a scientific review of
each proposal using the following criteria, which are listed in descending
order of relative importance:
(1) overall scientific and technical merit,
(2) potential contribution and relevance to ARPA mission,
(3) offeror's capabilities and related experience,
(4) plans and capability to accomplish technology transition, and
(5) cost realism.
Note: Cost realism will be significant only in proposals which have
significantly under or over estimated the cost to complete their effort.
All administrative correspondence and questions on this solicitation, including
requests for information on how to submit a proposal abstract or proposal to
this BAA, should be directed to one of the administrative addresses below,
e-mail or fax is preferred. ARPA intends to use electronic mail and fax for
correspondence regarding BAA 95-15. The administrative addresses for this BAA
are:
Fax: 703-522-2668 Address to: ARPA/CSTO, BAA 95-15
Electronic Mail: baa9515(_at_)arpa(_dot_)mil
Mail: ARPA/CSTO,
ATTN: BAA 95-15
3701 N. Fairfax Drive
Arlington, VA 22203-1714
BAA 95-15 Proposer Information Pamphlet
EVALUATION AND FUNDING PROCESSES
Proposals will not be evaluated against each other since they are not submitted
in accordance with a common work statement. ARPA's intent is to review
proposals as soon as possible after they arrive, however, proposals may be
reviewed periodically for administrative reasons.
For evaluation purposes, a proposal is the document described in PROPOSAL
FORMAT (see below). Other supporting or background materials submitted with the
proposal will be considered for the reviewer's convenience only and not
considered as part of the proposal.As soon as the proposal evaluation is
completed, the proposer will be notified of selectability or non-selectability.
Selectable proposals will be considered for funding; non-selectable proposals
will be destroyed. (One copy of non-selectable proposals may be retained for
filing purposes).
Not all proposals deemed selectable will be funded. Decisions to fund
selectable proposals will be based on funds available, scientific and
technical merit, and potential contribution and relevance to ARPA's
mission. Proposals may be considered for funding for a period of up to one
year. Government
reserves the right to select for award all, some, or none of the proposals
received. All responsible sources capable of satisfying the Government's needs
may submit a proposal which shall be considered by ARPA.
Proposals identified for funding may result in a contract, grant, cooperative
agreement, or other transaction depending upon the nature of the work proposed,
the required degree of interaction between parties, and other factors. If
warranted, portions of resulting awards may be segregated into pre-priced
options.
SUBMISSION PROCESS
Proposers are strongly encouraged to submit a proposal abstract in advance of
actual proposals. This procedure is intended to minimize unnecessary effort in
proposal preparation and review. An original and three (3) copies of each
abstract and an original and four (4) copies of each proposal must be submitted
to the administrative address for this BAA. ARPA will acknowledge receipt of
the submission and assign a control number that should be used in all further
correspondence regarding abstracts and proposals.
ARPA will attempt to review proposal abstracts within 30 days after receipt
and will make a recommendation to propose or not propose formal submissions.
Proposal abstracts will be reviewed as they are received. Early submissions
are strongly encouraged. Regardless of the recommendation, the decision to
propose is the responsibility of the proposer. All submitted proposals will
be fully reviewed regardless of the disposition of the proposal abstract.
Proposers not submitting proposal abstracts are required to submit full
proposals by the
date and time specified in the BAA.
The typical proposal should express a consolidated effort in support of one or
more related technical concepts or ideas. Disjoint efforts should not be
included in a single proposal.
Restrictive notices not withstanding, proposals may be handled, for
administrative purposes only, by a support contractor. This support contractor
is prohibited from competition in ARPA technical research and is bound by
appropriate non-disclosure requirements. All proposals will be reviewed by
government officials and their designated FFRDC personnel only.
PROPOSAL ABSTRACT FORMAT
Proposal abstracts are encouraged in advance of full proposals in order to
provide potential offerors with a rapid response and to minimize unnecessary
effort. An original and three (3) copies of the proposal abstract must be
submitted to
ARPA/CSTO,
3701 North Fairfax Drive,
Arlington, VA 22203-1714,
(ATTN: BAA 95-15)
on or before 4:00 PM, February 17, 1995. Proposal abstracts received after
this
date may not be reviewed. Proposal abstracts should follow the same general
format as described under PROPOSAL FORMAT (see below) except that sections C,
J, and K should be omitted and sections B and D may be combined. The cover
sheet should be clearly marked "PROPOSAL ABSTRACT" and all sections should be
limited to one page, except section F, which should be limited to 3 pages. The
total length of the document should not exceed 10 pages. Proposal abstracts
ONLY (not proposals) may alternatively be submitted via electronic mail to
baa9515(_at_)arpa(_dot_)mil(_dot_) Email submissions must be formatted as plain
ASCII, 72
characters to the line, 60 lines to the page. This is the only format that
will
be accepted. No formal transmittal letter is required.
PROPOSAL FORMAT
Proposers must submit an original and four (4) copies of full proposals by
4:00
PM, April 17, 1995, in order to be considered. All full proposals must be in
the format given below. Nonconforming proposals may be rejected without
review.
The Technical and Management Proposal shall include the following sections,
each starting on a new page (where a "page" is 8-1/2 by 11 inches with type
not
smaller than 12 point). It may include an attached bibliography of relevant
technical papers or research notes (published or unpublished) which document
the technical ideas and approach upon which the proposal is based. Copies of
not more than 3 relevant papers can be included with the submission. The
submission of other supporting materials along with the proposal is strongly
discouraged. Except for the attached bibliography, it shall not exceed 40
pages. Maximum page lengths for each section are shown in braces {} below.
Section I. Administrative
A. {1} Cover Page including:
(1) BAA number,
(2) Technical topic area,
(3) Proposal title,
(4) Technical point of contact including: name, telephone number, electronic
mail (if available), fax (if available) and mailing address,
(5) Administrative point of contact including: name, telephone number,
electronic mail (if available), fax (if available) and mailing address.
(6) Summary of the schedule and milestones for the proposed research, including
total base cost, estimates of base cost in each year of the effort,
estimates of itemized options in each year of the effort, total cost
(including options), and cost sharing if relevant.
(7) Contractor's type of business, selected among the following categories:
"LARGE BUSINESS," "SMALL DISADVANTAGED BUSINESS," "OTHER SMALL BUSINESS,"
"HBCU," "MI," "OTHER EDUCATIONAL," or "OTHER NONPROFIT."
Section II. Summary of Proposal
This section provides an overview of the proposed work as well as an
introduction to the associated technical and management issues.
A. {1} Innovative claims for the proposed research. This page is the
centerpiece of the proposal and should succinctly describe the unique proposed
contribution.
B. {2} Deliverables associated with the proposed research. Include in this
section all proprietary claims to results, prototypes, or systems supporting
and/or necessary for the use of the research, results, and/or prototype. If
there are no proprietary claims, this should be stated.
C. {3} Statement of Work (SOW) written in plain English, outlining the scope of
the effort and citing specific tasks to be performed and specific contractor
requirements.
D. {5} Description of the results, products, transferable technology, and
expected technology transfer path.
E. {1} Cost, schedule, and milestones for the proposed research, including
estimates of cost for each task in each year of the effort and total cost.
F. {12} Technical rationale, technical approach and constructive plan for
accomplishment of technical goals in support of innovative claims and
deliverable production.
G. {3} Comparison with other ongoing research indicating advantages and
disadvantages of the proposed effort.
H. {2} List of key personnel and concise summary of their qualifications along
with the amount of effort to be expended by each person during each contract
year and other (current and proposed) major sources of support for them.
I. {3} Discussion of proposer's previous accomplishments and work in this or
closely related research areas.
J. {1} Description of the facilities that would be used for the proposed
effort.
K. {5} Cost breakdown to the level of major tasks and equipment for the entire
contract and for each contract year. Where the effort consists of multiple
portions which could reasonably be partitioned for purposes of funding, these
should be identified as contract options with separate cost estimates for each.
Details of any cost sharing should also be included.
Section III. Additional Information
A bibliography of relevant technical papers and research notes (published and
unpublished) which document the technical ideas upon which the proposal is
based. Copies of not more than 3 relevant papers can be included in the
submission, one set for each of the four copies.
- ------- End of Forwarded Message