Douglas MaughanDouglas MaughanDivision Director, Cyber Security Division

Homeland Security Advanced Research Projects Agency

(HSARPA)

Department of Homeland Security (DHS) Science and

Technology (S&T)

Obtaining Federal Research FundingObtaining Federal Research Funding

Understanding the Landscape

Contracting

Small Business Programs

Larger R&D Solicitations

Summary / Q&A

Federal Cyber Research CommunityFederal Cyber Research Community

Agency / Org Research Agenda ResearchersCustomers / Consumers

National Science Foundation (NSF)

Broad range of cyber security topics; Several academic centers

Academics and Non-Profits

Basic Research - No specific customers

Defense Advanced Research Projects Agency (DARPA)

Mostly classified; unclassified topics are focused on MANET solutions

Few academics; large system integrators; research and government labs

Mostly DOD; most solutions are GOTS, not COTS

National Security Agency (NSA)

SELinux; Networking theory; CAEIAE centers

Mostly in-house Intelligence community; some NSA internal; some open source

Intelligence Advanced Research Projects Agency (IARPA)

Accountable Information Flow (AIF); Large Scale System Defense (LSSD); Privacy Protection Technologies (PPT)

Mostly research labs, system integrators, and national labs; Some academics

Intelligence community

Department of Homeland Security (DHS) S&T

All unclassified; Secure Internet Protocols; Process Control Systems (PCS), Emerging Threats, Insider Threat, Cyber Forensics; Open Security Technologies, Next Generation Technologies

Blend of academics, research and government labs, non-profits, private sector and small business

DHS Components (including NPPD, NCSC, USCG, FLETC and USSS); CI/KR Sectors; USG and Internet

Increasing your success rate getting Federal R&D support

Increasing your success rate getting Federal R&D support

Understand your client Federal agencies have distinctly different characters Different missions Different processes

Federal agencies are not charities Money is appropriated to them for specific purposes You will be more successful if you can explain why your proposed R&D supports their mission

• Identify requirements • Develop program plan and allocate resources• Communicate plans and priorities to

technical community

• Posting Solicitations• Solicitation Process – White Papers• Submitting proposals

• Different programs demand different contract vehicles

• Flexibility used to match mission

• Programs tailored to meet unique conditions of objectives

• Active interaction with performers

Execution

Contract

Solicitation

Planning

Federal R&D ProcessFederal R&D Process

Federal R&D ProgramsFederal R&D Programs

A program is led by a Program Manager(PM)

A program will have: Specific Technology Objectives aligned with customer needs which, if achieved, will have a significant operational impact

Plan to move from current level of technical maturity to a higher level (e.g., For DOD it’s TRLs – Technology Readiness Levels)

A technical approach indicating how the objectives will be achieved

A program structure indicating how the PM has deployed resources (time, money, executors) to achieve the objectives

Deliverables Transition Strategy/Technology Development Path

Relationship with the Program ManagerRelationship with the Program Manager

PM wants to leverage existing technology, others’ R&D investment and market pull

PM wants the intellectual property strategy aligned with transition plan, but will (usually) negotiate

PM’s job is to manage technical and programmatic risk and WANTS YOU TO SUCCEED

The PM is a resource for you in accomplishing the R&D and in transitioning to the (government) customer

Mechanics of Proposing R&DMechanics of Proposing R&D

Find agencies with closest mission match Identify R&D element(s) within the agencies Look for existing R&D solicitations (Money already exists for these efforts!)

Do your homework (LOOK AT PREVIOUS SOLICITATIONS, read website, workshop results, and any presentations on your target program solicitation)

Respond to solicitation carefully – meet all administrative requirements and make sure your R&D matches the stated program needs

If no solicitation, contact R&D PM. Explain relevance to his/her mission. Be patient. Be persistent.

Contracting VehiclesContracting Vehicles

The Government has a range of contracting vehicles to match programmatic needs and contractor character. Grants Contracts Cooperative agreements Other Transactions for Research or Prototypes

Allows government to deal with non-traditional contractors who have desirable technologies, but do not want to keep “Government books”

Must comply with “generally acceptable accounting principles”

R&D ProposalsR&D Proposals

Team approach (technical & business) Consider hiring government contracting specialist

Cost realism

Cost or Price Analysis

Contract Types for R&D

Cost or Price AnalysisCost or Price Analysis

Level of Complexity Will Vary Contract Type Dollar Value

The Basis of Your Proposal Costs Be Prepared to Provide Backup Data

Indirect Rate Structure

Fee/Profit

Business CapabilitiesBusiness Capabilities

Financial Audit Proposal Costs Accounting System Estimating System Financial Capabilities

Past PerformanceNOTE: If you’ve never had a government contract, consider talking with DCAA sooner rather than later. DCAA = Defense Contract Audit Agency

The Normal ContractThe Normal Contract

Terms Read & Understand Your Contract Contract Line Items/Deliverables Contract Clauses

Performance Proposal - What did you say you would do? Deliverables - Due Dates Acceptance - How Accomplished

Payment Invoicing Procedures and Certification Prompt Payment Act Limitation of Funds/Limitation of Cost

Helpful Contracting WebsitesHelpful Contracting Websites

http://www.dcaa.mil/dcaap7641.90.pdf

http://www.sba.gov/services/contractingopportunities

http://farsite.hill.af.mil

http://acquisition.gov/far/index.html

Programs for U. S. Small BusinessPrograms for U. S. Small Business

Small Business Innovation Research (SBIR) Set-aside program for small business concerns to engage in federal R&D -- with potential for commercialization

Small Business Technology Transfer (STTR) Set-aside program to facilitate cooperative R&D between small business concerns and research institutions -- with potential for commercialization

2.5%

.3%

PHASE I • Feasibility Study • $100K (in general) and 6 month effort

PHASE III• Commercialization Stage• Use of non-SBIR Funds

PHASE II• Full Research/R&D• $750K and 24 month effort• Commercialization plan required

SBIR - A 3 Phase ProgramSBIR - A 3 Phase Program

Which Government Agencies?Which Government Agencies?

Both SBIR/STTR Defense Health & Human Services NASA DOE NSF DHS

SBIR only DOA DOC ED EPA DOT NIH

Agency SBIR DifferencesAgency SBIR Differences

Number and timing of solicitationsR&D Topic Areas – Broad vs. FocusedDollar Amount of Award (Phase I and II)Proposal preparation instructionsFinancial details (e.g., Indirect Cost Rates)Proposal review processProposal success ratesTypes of awardCommercialization assistance

And more…………

Agency DifferencesALWAYS CHECK WITH

AGENCIES

SBIR Program: Small Business Concern Eligibility

SBIR Program: Small Business Concern Eligibility

Organized for-profit place of business located in the U.S., operates primarily within the U.S., or which makes significant contribution to the U.S. economy through payment of taxes or use of American products, materials or labor

Is in the legal form of an individual proprietorship, partnership, limited liability company, corporation, joint venture, association, trust or cooperative where the form is a joint venture, there can be no more than 49% participation by business entities in the joint venture

SBIR Program: Small Business Concern Eligibility (Continued)

SBIR Program: Small Business Concern Eligibility (Continued)

Fewer than 500 employees, including affiliates

Principal Investigator’s (PI) primary employment must be with the small business concern at the time of award and for the duration of the project period

Significant amount of PIs time will be devoted to the SBIR effort

Performance of R&D ActivitiesPerformance of R&D Activities

“All research/R&D must be performed in its entirety in the U.S.”

Rare cases to conduct testing of specific patient populations

outside U.S. is allowable

Travel to scientific meeting in foreign country is allowable

Foreign consultants/collaborators allowable, but must perform

consulting in U.S.

Intellectual Property, Data Rights and the SBIR Program

Intellectual Property, Data Rights and the SBIR Program

As with all contracts, pursuant to the Bayh-Dole Act, an SBIR contractor can elect title to inventions discovered under the SBIR contract (FAR 52.227-11)

The Small Business Act (15 U.S.C. 631(j)(2)(A)) provides for retention by an SBIR awardee of the rights to data generated by the concern in the performance of an SBIR award protection of SBIR data is intended to provide incentive for further development or commercialization of technology by the SBIR awardee

If you don’t understand the IPR issues,

get help!!

Intellectual Property, Data Rights and the SBIR Program-2

Intellectual Property, Data Rights and the SBIR Program-2

The SBIR Program is an instance in which government funds are to be used to create data protected from disclosure, and therefore, has its own rights in data clause (FAR 52.227-20)

As a result, the government must protect from disclosure and non-governmental use “SBIR data”, technical data, and computer software first produced under a SBIR funding agreement and properly marked

The period of protection under the FAR is four years from delivery of the last deliverable under that agreement (either Phase I, Phase II, or a Federally-funded SBIR Phase III)

Protections against disclosure of data from one phase may extend to four years after subsequent SBIR awards if properly recognized in subsequent awards

DHS S&T SBIR Evaluation CriteriaDHS S&T SBIR Evaluation Criteria

The soundness, technical merit, and innovation of the proposed approach and its progress toward topic solution

The qualifications of the proposed principal investigators, supporting staff, and consultants

Qualifications include not only the ability to perform the research and development but also the ability to commercialize the results

The potential for commercial (government or private sector) application and the benefits expected to accrue from this commercialization

Proposal Submissions by Size of Company (FY04.2 – FY10.2 data)

Proposal Submissions by Size of Company (FY04.2 – FY10.2 data)

4%

39%

22%

11%9%

13%

2%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

1 2-9 10-24 25-49 50-99 100-249 250-500

Number of Employees

DHS SBIR Phase IData from 14 Competitions through

FY10.2*

DHS SBIR Phase IData from 14 Competitions through

FY10.2*

MA 269/55

Total Phase I Submissions/Awards

2,608/423

* Includes STTR data

HI 17/3

OR22/5

WA51/12

AK3/1

CA535/104

NV17/1

ID8/0

MT9/2

ND1/0

SD2/0

NE7/1

KS6/1

WY2/0

UT28/7 CO

68/10

AZ46/10 NM

42/7

TX140/23

OK10/3

MN41/7

WI13/2

IA4/0

MO19/2

AR3/0

LA19/2

MI70/9

IL49/6

IN35/3

OH49/1

PA 63/8

KY 10/1

TN 19/1

VA239/35

NC 32/5

SC8/1

GA39/3

FL93/11

AL48/7

MS5/0

WV10/1

NY101/28

ME11/0

NH25/6

VT 10/1

RI 7/1

CT 47/8

NJ 69/6

DE 9/0

MD 169/23

PR 3/0

DC 6/0

Small Business Innovative Research (SBIR)

Small Business Innovative Research (SBIR)

Since 2004, DHS S&T Cyber Security Program has had:47 Phase I efforts22 Phase II efforts5 efforts currently in progress8 commercial products availableThree acquisitions

Komoku, Inc. (MD) acquired by Microsoft in March 2008

Endeavor Systems (VA) acquired by McAfee in January 2009

Solidcore (CA) acquired by McAfee in June 2009

Added Bonus - Cost MatchAdded Bonus - Cost Match

Allows small businesses to seek additional funding for Phase II projects from non-SBIR sources

Minimum of $100,000 to maximum of $500,000 of outside funding

Matched by DHS SBIR up to $250,000 in a 1:2 ratio

Additional funds require additional scope – need to either add R&D on SBIR contract or other development and commercialization activities (or some of both)

Cost match is a motivator for, and an indicator of, commercial potential

The DoD IA Research CommunityThe DoD IA Research Community

NSA ONR AFRL ARLNational IA NRL AFOSR AROResearch Lab

Academia

Industry

SBIRs are funded by DDR&E, DARPA, the Services and Agencies

DARPA

DDR&E Small Business Innovative Research (SBIR) Program

DDR&E Small Business Innovative Research (SBIR) Program

Cyber Security awards since 2007 - present 123 Phase I awards 39 Phase II awards Roughly $11 M per year DDR&E awards

Annual SBIR Workshop Last on was 20-22 July 2010; Next one is 12-14 July 2011 in WDC

Links government, SBIR researchers, prime contractors

150 participants

Includes SBIR & STTR

DOD DDR&E SBIR topicsDOD DDR&E SBIR topics

• OSD10-IA1 Countermeasures to Malicious Hardware to Improve Software Protection Systems

• OSD10-IA2 Effective Portable Data Content Inspection and Sanitization

• OSD10-IA3 Robust and Effective Anti-Phishing Techniques

• OSD10-IA4 Preventing Sensitive Information and Malicious Traffic from Leaving Computers

• OSD10-IA5 Biometric-based Computer Authentication during Mission-Oriented Protective Posture Scenarios

Useful Web Sites

https://sbir.dhs.gov

www.baa.st.dhs.gov

www.dhs.gov

www.dhs.gov/xopnbiz/

www.fedbizopps.gov

www.sbir.gov

Useful Web Sites andDHS S&T Directorate SBIR Point of Contact

Useful Web Sites andDHS S&T Directorate SBIR Point of Contact

Elissa (Lisa) SobolewskiDHS SBIR Program Directorelissa.sobolewski@dhs.gov (202) 254-6768

S&T SBIR Program Email:STSBIR.PROGRAM@dhs.gov

Broad Agency Announcements (BAAs)

Broad Agency Announcements (BAAs)

http://baa.st.dhs.govR&D funding model that delivers both near-term and medium-term solutions: To develop new and enhanced technologies for the detection of, prevention of, and response to cyber attacks on the nation’s critical information infrastructure.

To perform research and development (R&D) aimed at improving the security of existing deployed technologies and to ensure the security of new emerging systems;

To facilitate the transfer of these technologies into the national infrastructure as a matter of urgency.

Past SolicitationsPast Solicitations

http://baa.st.dhs.gov

Left hand side – Past Solicitations

Look for BAA 07-09 and BAA 04-17

Review BAA, any modifications or amendments, presentations, etc.

BAA Program / Proposal StructureBAA Program / Proposal Structure

Type I (New Technologies) New technologies with an applied research phase, a development phase, and a deployment phase (optional) Funding not to exceed 36 months (including deployment phase)

Type II (Prototype Technologies) More mature prototype technologies with a development phase and a deployment phase (optional) Funding not to exceed 24 months (including deployment phase)

Type III (Mature Technologies) Mature technology with a deployment phase only.

Funding not to exceed 12 months

BAA 07-09 Technical Topic AreasBAA 07-09 Technical Topic Areas

Botnets and Other Malware: Detection and Mitigation

Composable and Scalable Secure SystemsCyber Security MetricsNetwork Data Visualization for Information

AssuranceInternet Tomography / TopographyRouting Security Management ToolProcess Control System Security

Secure and Reliable Wireless Communication for Control Systems

Real-Time Security Event Assessment and MitigationData Anonymization Tools and TechniquesInsider Threat Detection and Mitigation

BAA 07-09 White PapersBAA 07-09 White PapersType I Type II Type III TOTALS

TTA 1 56 48 11 115TTA 2 85 47 15 147TTA 3 51 22 8 81TTA 4 36 29 10 75TTA 5 21 12 4 37TTA 6 10 8 5 23TTA 7 43 31 13 87TTA 8 22 16 4 42TTA 9 49 30 15 94TOTALS 373 243 85 701

36 months 24 months 12 monthsType I Type II Type III TOTALS

TTA 1 30 25 6 61TTA 2 49 33 7 89TTA 3 23 10 2 35TTA 4 17 18 4 39TTA 5 10 5 1 16TTA 6 3 4 2 9TTA 7 27 16 7 50TTA 8 10 7 1 18TTA 9 24 16 6 46

TOTALS 193 134 36 363

Registrations Received

Submissions Received

BAA 07-09 Full Proposal Statistics BAA 07-09 Full Proposal Statistics FULL PROPOSALS

Type I Type II Type III TOTALS

TTA 1 5 4 3 12

TTA 2 5 7 0 12

TTA 3 2 3 1 6

TTA 4 4 5 0 9

TTA 5 3 0 0 3

TTA 6 2 2 1 5

TTA 7 5 2 1 8

TTA 8 1 1 0 2

TTA 9 3 3 0 6

TOTALS 30 27 6 63

80 offerors were encouraged to submit Full Proposals based on the White

Paper reviews; 63 of those offerors submitted Full Proposals.

AWARDSUMMARYType I – 6Type II – 9Type III – 2

LEADSAcademic – 6Industry – 10

Labs – 1

41

12 CNCI Projects12 CNCI Projects

Reduce the Number of Trusted Internet

Connections

Deploy Passive Sensors Across

Federal Systems

Pursue Deployment of Automated

Defense Systems

Coordinate and Redirect R&D Efforts

Establish a front line of defense

Connect Current Centers to Enhance

Situational Awareness

Develop Gov’t-wide Counterintelligence

Plan for Cyber

Increase Security of the Classified

NetworksExpand Education

Resolve to secure cyberspace / set conditions for long-term success

Define and Develop Enduring Leap Ahead

Technologies, Strategies & Programs

Define and Develop Enduring Deterrence

Strategies & Programs

Manage Global Supply Chain Risk

Cyber Security in Critical Infrastructure

Domains

Shape future environment / secure U.S. advantage / address new threats

CNCI = Comprehensive National Cyber Initiative

National Cyber Leap Year (NCLY)National Cyber Leap Year (NCLY)

RFI – 1: Generic, wide-open Received over 160 responses; created 9 research areas

Attribution, Cyber Economics, Disaster Recovery, Network Ecology, Policy-based Configuration, Randomization/Moving Target, Secure Data, Software Assurance, Virtualization

RFI – 2: Same as RFI-1, but providing IP protection Received over 30 responses

RFI – 3: Requested submissions only in 9 research areas above Received over 40 responses

National Cyber Leap Year (NCLY) Summit August 17-19, 2009 Results posted on http://www.nitrd.gov

NCLY Summit TopicsNCLY Summit Topics

Cyber economics

Digital provenance

Hardware enabled trust

Moving target defense

Nature inspired cyber defense

Expectation: Agencies will include these topics in future solicitations

Cyber EconomicsCyber Economics

Enable trusted repositories of data and metrics to allow economic analysis

Theories, models, and scientific understanding of cyber economics

Environment for training users and allowing controls of personal data

Tools to empower service providers in the defense of their infrastructure

Digital ProvenanceDigital Provenance

Develop new mechanisms for digital provenance definitions and management

Create technologies allowing stable and trustworthy entity identity

Advance data security techniques for provenance of data from creation to destruction

Hardware Enabled TrustHardware Enabled Trust

Create new resilient (diversity, redundancy, recovery) hardware

Hardware defenses for hardware attacks

Develop new trustworthy data storage architectures and technologies

Moving Target DefenseMoving Target Defense

Technologies allowing a shift from reactive security postures to active preemptive postures

Create and develop manageable moving target mechanisms that create disruption for the adversaries, but not for the legitimate users

Techniques to analyze the effectiveness of MT mechanisms against various attacks and disruptions

Solutions that increase the ability to observe, shape, and expose the actions of adversaries as they attempt to evade and break MT mechanisms

Nature Inspired Cyber DefenseNature Inspired Cyber Defense

Improve current distributed network defenses to react more quickly

Create technologies that provide evolving system immunity to attacks

Establish a Cyber-CDC (global cyber information sharing)

Analyze legal aspects associated with active cyber defense

A Roadmap for Cybersecurity ResearchA Roadmap for Cybersecurity Research

http://www.cyber.st.dhs.gov Scalable Trustworthy Systems Enterprise Level Metrics System Evaluation Lifecycle Combatting Insider Threats Combatting Malware and Botnets Global-Scale Identity Management Survivability of Time-Critical Systems

Situational Understanding and Attack Attribution

Information Provenance Privacy-Aware Security Usable Security

Roadmap ContentRoadmap ContentWhat is the problem being addressed?What are the potential threats?Who are the potential beneficiaries? What are their respective needs?What is the current state of practice?What is the status of current research?What are the research gaps?What challenges must be addressed?What resources are needed?How do we test & evaluate solutions?What are the measures of success?

SummarySummary

Learn about the agencies, their missions, and meet the Program Managers

Build your team to deliver – consider including contracting personnel

Understand the opportunities – SBIR, STTR, BAA, CNCI R&D, RFP (not discussed in this presentation)

Douglas Maughan, Ph.D.

Division Director

Cyber Security Division

Homeland Security Advanced Research Projects Agency (HSARPA)

douglas.maughan@dhs.gov

202-254-6145 / 202-360-3170

For more information, visithttp://www.cyber.st.dhs.gov