douglas maughan division director, cyber security division homeland security advanced research...
TRANSCRIPT
Douglas MaughanDouglas MaughanDivision Director, Cyber Security Division
Homeland Security Advanced Research Projects Agency
(HSARPA)
Department of Homeland Security (DHS) Science and
Technology (S&T)
Obtaining Federal Research FundingObtaining Federal Research Funding
Understanding the Landscape
Contracting
Small Business Programs
Larger R&D Solicitations
Summary / Q&A
Federal Cyber Research CommunityFederal Cyber Research Community
Agency / Org Research Agenda ResearchersCustomers / Consumers
National Science Foundation (NSF)
Broad range of cyber security topics; Several academic centers
Academics and Non-Profits
Basic Research - No specific customers
Defense Advanced Research Projects Agency (DARPA)
Mostly classified; unclassified topics are focused on MANET solutions
Few academics; large system integrators; research and government labs
Mostly DOD; most solutions are GOTS, not COTS
National Security Agency (NSA)
SELinux; Networking theory; CAEIAE centers
Mostly in-house Intelligence community; some NSA internal; some open source
Intelligence Advanced Research Projects Agency (IARPA)
Accountable Information Flow (AIF); Large Scale System Defense (LSSD); Privacy Protection Technologies (PPT)
Mostly research labs, system integrators, and national labs; Some academics
Intelligence community
Department of Homeland Security (DHS) S&T
All unclassified; Secure Internet Protocols; Process Control Systems (PCS), Emerging Threats, Insider Threat, Cyber Forensics; Open Security Technologies, Next Generation Technologies
Blend of academics, research and government labs, non-profits, private sector and small business
DHS Components (including NPPD, NCSC, USCG, FLETC and USSS); CI/KR Sectors; USG and Internet
Increasing your success rate getting Federal R&D support
Increasing your success rate getting Federal R&D support
Understand your client Federal agencies have distinctly different characters Different missions Different processes
Federal agencies are not charities Money is appropriated to them for specific purposes You will be more successful if you can explain why your proposed R&D supports their mission
• Identify requirements • Develop program plan and allocate resources• Communicate plans and priorities to
technical community
• Posting Solicitations• Solicitation Process – White Papers• Submitting proposals
• Different programs demand different contract vehicles
• Flexibility used to match mission
• Programs tailored to meet unique conditions of objectives
• Active interaction with performers
Execution
Contract
Solicitation
Planning
Federal R&D ProcessFederal R&D Process
Federal R&D ProgramsFederal R&D Programs
A program is led by a Program Manager(PM)
A program will have: Specific Technology Objectives aligned with customer needs which, if achieved, will have a significant operational impact
Plan to move from current level of technical maturity to a higher level (e.g., For DOD it’s TRLs – Technology Readiness Levels)
A technical approach indicating how the objectives will be achieved
A program structure indicating how the PM has deployed resources (time, money, executors) to achieve the objectives
Deliverables Transition Strategy/Technology Development Path
Relationship with the Program ManagerRelationship with the Program Manager
PM wants to leverage existing technology, others’ R&D investment and market pull
PM wants the intellectual property strategy aligned with transition plan, but will (usually) negotiate
PM’s job is to manage technical and programmatic risk and WANTS YOU TO SUCCEED
The PM is a resource for you in accomplishing the R&D and in transitioning to the (government) customer
Mechanics of Proposing R&DMechanics of Proposing R&D
Find agencies with closest mission match Identify R&D element(s) within the agencies Look for existing R&D solicitations (Money already exists for these efforts!)
Do your homework (LOOK AT PREVIOUS SOLICITATIONS, read website, workshop results, and any presentations on your target program solicitation)
Respond to solicitation carefully – meet all administrative requirements and make sure your R&D matches the stated program needs
If no solicitation, contact R&D PM. Explain relevance to his/her mission. Be patient. Be persistent.
Contracting VehiclesContracting Vehicles
The Government has a range of contracting vehicles to match programmatic needs and contractor character. Grants Contracts Cooperative agreements Other Transactions for Research or Prototypes
Allows government to deal with non-traditional contractors who have desirable technologies, but do not want to keep “Government books”
Must comply with “generally acceptable accounting principles”
R&D ProposalsR&D Proposals
Team approach (technical & business) Consider hiring government contracting specialist
Cost realism
Cost or Price Analysis
Contract Types for R&D
Cost or Price AnalysisCost or Price Analysis
Level of Complexity Will Vary Contract Type Dollar Value
The Basis of Your Proposal Costs Be Prepared to Provide Backup Data
Indirect Rate Structure
Fee/Profit
Business CapabilitiesBusiness Capabilities
Financial Audit Proposal Costs Accounting System Estimating System Financial Capabilities
Past PerformanceNOTE: If you’ve never had a government contract, consider talking with DCAA sooner rather than later. DCAA = Defense Contract Audit Agency
The Normal ContractThe Normal Contract
Terms Read & Understand Your Contract Contract Line Items/Deliverables Contract Clauses
Performance Proposal - What did you say you would do? Deliverables - Due Dates Acceptance - How Accomplished
Payment Invoicing Procedures and Certification Prompt Payment Act Limitation of Funds/Limitation of Cost
Helpful Contracting WebsitesHelpful Contracting Websites
http://www.dcaa.mil/dcaap7641.90.pdf
http://www.sba.gov/services/contractingopportunities
http://farsite.hill.af.mil
http://acquisition.gov/far/index.html
Programs for U. S. Small BusinessPrograms for U. S. Small Business
Small Business Innovation Research (SBIR) Set-aside program for small business concerns to engage in federal R&D -- with potential for commercialization
Small Business Technology Transfer (STTR) Set-aside program to facilitate cooperative R&D between small business concerns and research institutions -- with potential for commercialization
2.5%
.3%
PHASE I • Feasibility Study • $100K (in general) and 6 month effort
PHASE III• Commercialization Stage• Use of non-SBIR Funds
PHASE II• Full Research/R&D• $750K and 24 month effort• Commercialization plan required
SBIR - A 3 Phase ProgramSBIR - A 3 Phase Program
Which Government Agencies?Which Government Agencies?
Both SBIR/STTR Defense Health & Human Services NASA DOE NSF DHS
SBIR only DOA DOC ED EPA DOT NIH
Agency SBIR DifferencesAgency SBIR Differences
Number and timing of solicitationsR&D Topic Areas – Broad vs. FocusedDollar Amount of Award (Phase I and II)Proposal preparation instructionsFinancial details (e.g., Indirect Cost Rates)Proposal review processProposal success ratesTypes of awardCommercialization assistance
And more…………
SBIR Program: Small Business Concern Eligibility
SBIR Program: Small Business Concern Eligibility
Organized for-profit place of business located in the U.S., operates primarily within the U.S., or which makes significant contribution to the U.S. economy through payment of taxes or use of American products, materials or labor
Is in the legal form of an individual proprietorship, partnership, limited liability company, corporation, joint venture, association, trust or cooperative where the form is a joint venture, there can be no more than 49% participation by business entities in the joint venture
SBIR Program: Small Business Concern Eligibility (Continued)
SBIR Program: Small Business Concern Eligibility (Continued)
Fewer than 500 employees, including affiliates
Principal Investigator’s (PI) primary employment must be with the small business concern at the time of award and for the duration of the project period
Significant amount of PIs time will be devoted to the SBIR effort
Performance of R&D ActivitiesPerformance of R&D Activities
“All research/R&D must be performed in its entirety in the U.S.”
Rare cases to conduct testing of specific patient populations
outside U.S. is allowable
Travel to scientific meeting in foreign country is allowable
Foreign consultants/collaborators allowable, but must perform
consulting in U.S.
Intellectual Property, Data Rights and the SBIR Program
Intellectual Property, Data Rights and the SBIR Program
As with all contracts, pursuant to the Bayh-Dole Act, an SBIR contractor can elect title to inventions discovered under the SBIR contract (FAR 52.227-11)
The Small Business Act (15 U.S.C. 631(j)(2)(A)) provides for retention by an SBIR awardee of the rights to data generated by the concern in the performance of an SBIR award protection of SBIR data is intended to provide incentive for further development or commercialization of technology by the SBIR awardee
If you don’t understand the IPR issues,
get help!!
Intellectual Property, Data Rights and the SBIR Program-2
Intellectual Property, Data Rights and the SBIR Program-2
The SBIR Program is an instance in which government funds are to be used to create data protected from disclosure, and therefore, has its own rights in data clause (FAR 52.227-20)
As a result, the government must protect from disclosure and non-governmental use “SBIR data”, technical data, and computer software first produced under a SBIR funding agreement and properly marked
The period of protection under the FAR is four years from delivery of the last deliverable under that agreement (either Phase I, Phase II, or a Federally-funded SBIR Phase III)
Protections against disclosure of data from one phase may extend to four years after subsequent SBIR awards if properly recognized in subsequent awards
DHS S&T SBIR Evaluation CriteriaDHS S&T SBIR Evaluation Criteria
The soundness, technical merit, and innovation of the proposed approach and its progress toward topic solution
The qualifications of the proposed principal investigators, supporting staff, and consultants
Qualifications include not only the ability to perform the research and development but also the ability to commercialize the results
The potential for commercial (government or private sector) application and the benefits expected to accrue from this commercialization
Proposal Submissions by Size of Company (FY04.2 – FY10.2 data)
Proposal Submissions by Size of Company (FY04.2 – FY10.2 data)
4%
39%
22%
11%9%
13%
2%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
1 2-9 10-24 25-49 50-99 100-249 250-500
Number of Employees
DHS SBIR Phase IData from 14 Competitions through
FY10.2*
DHS SBIR Phase IData from 14 Competitions through
FY10.2*
MA 269/55
Total Phase I Submissions/Awards
2,608/423
* Includes STTR data
HI 17/3
OR22/5
WA51/12
AK3/1
CA535/104
NV17/1
ID8/0
MT9/2
ND1/0
SD2/0
NE7/1
KS6/1
WY2/0
UT28/7 CO
68/10
AZ46/10 NM
42/7
TX140/23
OK10/3
MN41/7
WI13/2
IA4/0
MO19/2
AR3/0
LA19/2
MI70/9
IL49/6
IN35/3
OH49/1
PA 63/8
KY 10/1
TN 19/1
VA239/35
NC 32/5
SC8/1
GA39/3
FL93/11
AL48/7
MS5/0
WV10/1
NY101/28
ME11/0
NH25/6
VT 10/1
RI 7/1
CT 47/8
NJ 69/6
DE 9/0
MD 169/23
PR 3/0
DC 6/0
Small Business Innovative Research (SBIR)
Small Business Innovative Research (SBIR)
Since 2004, DHS S&T Cyber Security Program has had:47 Phase I efforts22 Phase II efforts5 efforts currently in progress8 commercial products availableThree acquisitions
Komoku, Inc. (MD) acquired by Microsoft in March 2008
Endeavor Systems (VA) acquired by McAfee in January 2009
Solidcore (CA) acquired by McAfee in June 2009
Added Bonus - Cost MatchAdded Bonus - Cost Match
Allows small businesses to seek additional funding for Phase II projects from non-SBIR sources
Minimum of $100,000 to maximum of $500,000 of outside funding
Matched by DHS SBIR up to $250,000 in a 1:2 ratio
Additional funds require additional scope – need to either add R&D on SBIR contract or other development and commercialization activities (or some of both)
Cost match is a motivator for, and an indicator of, commercial potential
The DoD IA Research CommunityThe DoD IA Research Community
NSA ONR AFRL ARLNational IA NRL AFOSR AROResearch Lab
Academia
Industry
SBIRs are funded by DDR&E, DARPA, the Services and Agencies
DARPA
DDR&E Small Business Innovative Research (SBIR) Program
DDR&E Small Business Innovative Research (SBIR) Program
Cyber Security awards since 2007 - present 123 Phase I awards 39 Phase II awards Roughly $11 M per year DDR&E awards
Annual SBIR Workshop Last on was 20-22 July 2010; Next one is 12-14 July 2011 in WDC
Links government, SBIR researchers, prime contractors
150 participants
Includes SBIR & STTR
DOD DDR&E SBIR topicsDOD DDR&E SBIR topics
• OSD10-IA1 Countermeasures to Malicious Hardware to Improve Software Protection Systems
• OSD10-IA2 Effective Portable Data Content Inspection and Sanitization
• OSD10-IA3 Robust and Effective Anti-Phishing Techniques
• OSD10-IA4 Preventing Sensitive Information and Malicious Traffic from Leaving Computers
• OSD10-IA5 Biometric-based Computer Authentication during Mission-Oriented Protective Posture Scenarios
Useful Web Sites
https://sbir.dhs.gov
www.baa.st.dhs.gov
www.dhs.gov
www.dhs.gov/xopnbiz/
www.fedbizopps.gov
www.sbir.gov
Useful Web Sites andDHS S&T Directorate SBIR Point of Contact
Useful Web Sites andDHS S&T Directorate SBIR Point of Contact
Elissa (Lisa) SobolewskiDHS SBIR Program [email protected] (202) 254-6768
S&T SBIR Program Email:[email protected]
Broad Agency Announcements (BAAs)
Broad Agency Announcements (BAAs)
http://baa.st.dhs.govR&D funding model that delivers both near-term and medium-term solutions: To develop new and enhanced technologies for the detection of, prevention of, and response to cyber attacks on the nation’s critical information infrastructure.
To perform research and development (R&D) aimed at improving the security of existing deployed technologies and to ensure the security of new emerging systems;
To facilitate the transfer of these technologies into the national infrastructure as a matter of urgency.
Past SolicitationsPast Solicitations
http://baa.st.dhs.gov
Left hand side – Past Solicitations
Look for BAA 07-09 and BAA 04-17
Review BAA, any modifications or amendments, presentations, etc.
BAA Program / Proposal StructureBAA Program / Proposal Structure
Type I (New Technologies) New technologies with an applied research phase, a development phase, and a deployment phase (optional) Funding not to exceed 36 months (including deployment phase)
Type II (Prototype Technologies) More mature prototype technologies with a development phase and a deployment phase (optional) Funding not to exceed 24 months (including deployment phase)
Type III (Mature Technologies) Mature technology with a deployment phase only.
Funding not to exceed 12 months
BAA 07-09 Technical Topic AreasBAA 07-09 Technical Topic Areas
Botnets and Other Malware: Detection and Mitigation
Composable and Scalable Secure SystemsCyber Security MetricsNetwork Data Visualization for Information
AssuranceInternet Tomography / TopographyRouting Security Management ToolProcess Control System Security
Secure and Reliable Wireless Communication for Control Systems
Real-Time Security Event Assessment and MitigationData Anonymization Tools and TechniquesInsider Threat Detection and Mitigation
BAA 07-09 White PapersBAA 07-09 White PapersType I Type II Type III TOTALS
TTA 1 56 48 11 115TTA 2 85 47 15 147TTA 3 51 22 8 81TTA 4 36 29 10 75TTA 5 21 12 4 37TTA 6 10 8 5 23TTA 7 43 31 13 87TTA 8 22 16 4 42TTA 9 49 30 15 94TOTALS 373 243 85 701
36 months 24 months 12 monthsType I Type II Type III TOTALS
TTA 1 30 25 6 61TTA 2 49 33 7 89TTA 3 23 10 2 35TTA 4 17 18 4 39TTA 5 10 5 1 16TTA 6 3 4 2 9TTA 7 27 16 7 50TTA 8 10 7 1 18TTA 9 24 16 6 46
TOTALS 193 134 36 363
Registrations Received
Submissions Received
BAA 07-09 Full Proposal Statistics BAA 07-09 Full Proposal Statistics FULL PROPOSALS
Type I Type II Type III TOTALS
TTA 1 5 4 3 12
TTA 2 5 7 0 12
TTA 3 2 3 1 6
TTA 4 4 5 0 9
TTA 5 3 0 0 3
TTA 6 2 2 1 5
TTA 7 5 2 1 8
TTA 8 1 1 0 2
TTA 9 3 3 0 6
TOTALS 30 27 6 63
80 offerors were encouraged to submit Full Proposals based on the White
Paper reviews; 63 of those offerors submitted Full Proposals.
AWARDSUMMARYType I – 6Type II – 9Type III – 2
LEADSAcademic – 6Industry – 10
Labs – 1
41
12 CNCI Projects12 CNCI Projects
Reduce the Number of Trusted Internet
Connections
Deploy Passive Sensors Across
Federal Systems
Pursue Deployment of Automated
Defense Systems
Coordinate and Redirect R&D Efforts
Establish a front line of defense
Connect Current Centers to Enhance
Situational Awareness
Develop Gov’t-wide Counterintelligence
Plan for Cyber
Increase Security of the Classified
NetworksExpand Education
Resolve to secure cyberspace / set conditions for long-term success
Define and Develop Enduring Leap Ahead
Technologies, Strategies & Programs
Define and Develop Enduring Deterrence
Strategies & Programs
Manage Global Supply Chain Risk
Cyber Security in Critical Infrastructure
Domains
Shape future environment / secure U.S. advantage / address new threats
CNCI = Comprehensive National Cyber Initiative
National Cyber Leap Year (NCLY)National Cyber Leap Year (NCLY)
RFI – 1: Generic, wide-open Received over 160 responses; created 9 research areas
Attribution, Cyber Economics, Disaster Recovery, Network Ecology, Policy-based Configuration, Randomization/Moving Target, Secure Data, Software Assurance, Virtualization
RFI – 2: Same as RFI-1, but providing IP protection Received over 30 responses
RFI – 3: Requested submissions only in 9 research areas above Received over 40 responses
National Cyber Leap Year (NCLY) Summit August 17-19, 2009 Results posted on http://www.nitrd.gov
NCLY Summit TopicsNCLY Summit Topics
Cyber economics
Digital provenance
Hardware enabled trust
Moving target defense
Nature inspired cyber defense
Expectation: Agencies will include these topics in future solicitations
Cyber EconomicsCyber Economics
Enable trusted repositories of data and metrics to allow economic analysis
Theories, models, and scientific understanding of cyber economics
Environment for training users and allowing controls of personal data
Tools to empower service providers in the defense of their infrastructure
Digital ProvenanceDigital Provenance
Develop new mechanisms for digital provenance definitions and management
Create technologies allowing stable and trustworthy entity identity
Advance data security techniques for provenance of data from creation to destruction
Hardware Enabled TrustHardware Enabled Trust
Create new resilient (diversity, redundancy, recovery) hardware
Hardware defenses for hardware attacks
Develop new trustworthy data storage architectures and technologies
Moving Target DefenseMoving Target Defense
Technologies allowing a shift from reactive security postures to active preemptive postures
Create and develop manageable moving target mechanisms that create disruption for the adversaries, but not for the legitimate users
Techniques to analyze the effectiveness of MT mechanisms against various attacks and disruptions
Solutions that increase the ability to observe, shape, and expose the actions of adversaries as they attempt to evade and break MT mechanisms
Nature Inspired Cyber DefenseNature Inspired Cyber Defense
Improve current distributed network defenses to react more quickly
Create technologies that provide evolving system immunity to attacks
Establish a Cyber-CDC (global cyber information sharing)
Analyze legal aspects associated with active cyber defense
A Roadmap for Cybersecurity ResearchA Roadmap for Cybersecurity Research
http://www.cyber.st.dhs.gov Scalable Trustworthy Systems Enterprise Level Metrics System Evaluation Lifecycle Combatting Insider Threats Combatting Malware and Botnets Global-Scale Identity Management Survivability of Time-Critical Systems
Situational Understanding and Attack Attribution
Information Provenance Privacy-Aware Security Usable Security
Roadmap ContentRoadmap ContentWhat is the problem being addressed?What are the potential threats?Who are the potential beneficiaries? What are their respective needs?What is the current state of practice?What is the status of current research?What are the research gaps?What challenges must be addressed?What resources are needed?How do we test & evaluate solutions?What are the measures of success?
SummarySummary
Learn about the agencies, their missions, and meet the Program Managers
Build your team to deliver – consider including contracting personnel
Understand the opportunities – SBIR, STTR, BAA, CNCI R&D, RFP (not discussed in this presentation)
Douglas Maughan, Ph.D.
Division Director
Cyber Security Division
Homeland Security Advanced Research Projects Agency (HSARPA)
202-254-6145 / 202-360-3170
For more information, visithttp://www.cyber.st.dhs.gov