Arpa BAA on Security

[David Farber <farber () central cis upenn edu>]

Resent-From: "Michael St. Johns" <stjohns () arpa mil>


Due to the possibility of transcription errors, the official CBD announcement  
takes precedence over this transcription in any disagreement between the two.  
The transcription is provided for your convenience only.


=================================================


INFORMATION SYSTEM SECURITY SOL BAA95-15 DUE 041795 POC Teresa F. Lunt,  
ARPA/CSTO, POC, FAX: (703)522-2668.


The Advanced Research Projects Agency (ARPA) is soliciting proposals for  
research in various aspects of computer and network security, to create and  
integrate advanced security technologies for the DII, NII, National Challenge  
problems, and defense uses. This solicitation is part of a larger strategy for  
developing technology for defensive information warfare. Proposals are sought  
that address one or more of the following areas: 




1) Infrastructure Protection: Proposals are sought to develop prototypes of  
security mechanisms, value-added security services, packet and cell encryption  
techniques, and seamlessly integrated security in mobile, high-data-rate,  
multimedia, network technologies. Of interest are the creation of modular  
value-added security services such as authentication, authorization, auditing  
and audit analysis, security management, nonrepudiation, and anonymity, and
the  
redesign of network protocols to remove known security weaknesses, especially  
vulnerability to malicious denial of service attacks. In addition, research  
prototypes are sought for a protected infrastructure for key management that  
could support both symmetric and asymmetric keying needed by secure  
applications and network services. As a complementary method to other  
protection schemes, ARPA also is interested in research into packet and cell  
encryption devices and techniques. Proposed encryption devices should support  
performance ranges up to 10 gigabit/second and 10 megapacket/second, a variety  
of addressing schemes (unicast and multicast), and modularly replaceable  
cryptographic services, and should interface to a variety of network  
technologies. For all of the above, approaches that include multiparty
software  
key escrow as a key management function are encouraged. Where appropriate,  
research should be applicable to unicast, broadcast, and dynamic group  
(multicast) communications and specifically address the problem of  
interoperability of various plausible security infrastructures. Specific  
deliverables may include libraries or toolkits with standard interfaces for  
linking security functions and services to applications. Technical POC: Teresa  
F. Lunt, Michael StJohns


2) Protection of End-systems: ARPA is seeking technology to allow  
geographically separated parts of an organization to interact as if they
shared  
a common security perimeter. Approaches should allow uniform system-wide  
security policies to be enforced, and should provide a high degree of  
resistance to attack while providing greater interoperability with  
applications. Of special interest is research and prototyping of firewalls,  
technologies to support secure distributed applications across heterogeneous  
platforms, secure configuration controls, and security administration tools.  
Approaches should allow a variety of organization-specific security policies
to  
be defined and enforced and allow for varying degrees of configurable  
assurance. Security prototypes may be integrated into standard or emerging  
systems or be at the core of new technology. Proposals are encouraged in the  
area of generating and linking policy-enforcement derived from high-level  
expression of security policy, constraints, and requirements into specific  
applications. Also of interest is technology to allow system components or  
devices to be mutually authenticated to provide secure configuration.
Proposals  
regarding security management technology should result in efficient and  
scalable tools allowing administrators of large systems to assess their  
systems' vulnerabilities, to bring their systems into compliance with any
given  
set of security requirements, to remotely monitor systems for security  
compliance, and to quickly assess and correct damage from security incidents.  
Proposals for end-system protection through appropriate design and function of  
operating systems and services are strongly encouraged, proposals for work in  
the area of operating systems and services should be submitted through the  
forthcoming companion BAA on Scalable Systems and Software. Technical POC:  
Teresa F. Lunt, Glenn Ricart


3) Assurance: Proposals are sought for prototype experimental system  
structuring languages, analysis methods, and systems development tools and  
development environment to express the structure of information systems,
reason  
about their security and other properties, and allow efficient and secure  
implementations. The proposed approach should be capable of expressing modular  
operating system structures, networking and other system services, and  
distributed information system protocols including those providing security  
services. Approaches that also address system hardware levels and their  
integration into higher-level system structures are also desired. Proposed  
projects should be based on well-founded languages which include abstraction  
mechanisms suitable for expressing and reasoning about complex system  
structures. Reuse of current methodologies and tools is encouraged where  
possible. Approaches are encouraged to integrate security tools and assurance  
methods into existing or emerging automated programming support environments.  
Demonstration of the approach on state-of-the-art security systems and an  
assessment of the degree of increased security achieved is encouraged.  
Proposals are also sought for metrics, evaluation techniques, and tools for  
quantitative assessment of system security or strength against attack.  
Technical POC: Teresa F. Lunt, John Salasin.


PROGRAM SCOPE: Proposed research should investigate innovative, scalable  
approaches that lead to or enable revolutionary advances in the state of the  
art. Specifically excluded is research which primarily results in evolutionary  
improvement to the existing state of practice or focuses on a specific system  
or hardware solution. Topics are not limited to those outlined above. When  
appropriate, new concepts are to be demonstrated by means of prototypes or  
reference implementations. Proposals may range from small-scale efforts that  
are primarily theoretical in nature, to medium-scale experimental and  
prototyping efforts of hardware and/or software, to larger-scale integrated  
systems efforts. The target computing environment includes wireless and mobile  
platforms as well as fixed-location hosts. Proposals may involve other
research  
groups or industrial cooperation and cost sharing. Collaborative efforts and  
teaming are encouraged. Technologies which have a broad impact will be given  
highest priority. Proposals will be considered in each of the above areas as  
well as across multiple areas. Proposers are strongly encouraged to include  
tasks that evaluate the security of their resulting prototypes under realistic  
scenarios. Remaining vulnerabilities of proposed approaches should be  
identified, and proposers are encouraged to include techniques for the  
detection of attacks that exploit those weaknesses. Proposals should identify  
opportunities for technology transfer within the commercial marketplace and  
employ evolutionary concepts to allow their approaches to maintain currency  
with emerging technology. Scalable, efficient, and interoperable approaches
are  
encouraged. ARPA does not advocate or endorse the use of any particular  
cryptographic algorithm or cryptographic system. Proposals involving the use
of  
cryptography must be modular and independent of encryption algorithm, allowing  
replacement with other algorithms, and employing two or more algorithms if  
possible. Development of cryptographic algorithms or cryptoanalytic attacks is  
not within scope of this solicitation. Some Government Furnished Equipment and  
Information (GFE) in the form of FORTEZZA cryptographic cards and PCMCIA card  
readers (up to 5 per contract), the FORTEZZA C library and device drivers (for  
selected platforms only), and the FORTEZZA Applications Developers Guide may
be  
available, but ARPA does not guarantee its availability. It is also
anticipated  
that GFE software cryptography will become available during the course of  
projects awarded under this BAA. Proposers may request the use of such GFE,
but  
must describe alternatives they would use in the event this GFE is not  
available.


GENERAL INFORMATION: In order to minimize unnecessary effort in proposal  
preparation and review, proposers are strongly encouraged to submit brief  
proposal abstracts in advance of full proposals. An original and three (3)  
copies of the proposal abstract must be submitted to ARPA/CSTO, 3701 North  
Fairfax Drive, Arlington, VA 22203-1714, (ATTN: BAA 95-15) on or before 4:00  
PM, February 17, 1995. Proposal abstracts received after this date may not be  
reviewed. Upon review, ARPA will provide written feedback on the likelihood of  
a full proposal being selected. Proposers must submit an original and four (4)  
copies of full proposals by 4:00 PM, April 17, 1995, in order to be
considered.  
Proposers must obtain a pamphlet, BAA 95-15 Proposer Information, which  
provides further information on the submission, evaluation, funding processes,  
proposal and proposal abstract formats. This pamphlet may be obtained by fax,  
electronic mail, or mail request to the administrative contact address given  
below, as well as at URL address http://www.csto.arpa.mil/Solicitations.  
Proposals not meeting the format described in the pamphlet may not be
reviewed.  
This notice, in conjunction with the pamphlet BAA 95-15, Proposer Information,  
constitutes the total BAA. No additional information is available, nor will a  
formal RFP or other solicitation regarding this announcement be issued.  
Requests for same will be disregarded. The Government reserves the right to  
select for award all, some, or none of the proposals received. All responsible  
sources capable of satisfying the Government's needs may submit a proposal  
which shall be considered by ARPA. Historically Black Colleges and
Universities  
(HBCU) and Minority Institutions (MI) are encouraged to submit proposals and  
join others in submitting proposals, however, no portion of this BAA will be  
set aside for HBCU and MI participation due to the impracticality of reserving  
discrete or severable areas of information security research. Evaluation of  
proposals will be accomplished through a scientific review of each proposal  
using the following criteria, which are listed in descending order of relative  
importance: (1) overall scientific and technical merit, (2) potential  
contribution and relevance to ARPA mission, (3) offeror's capabilities and  
related experience, (4) plans and capability to accomplish technology  
transition, and (5) cost realism. Note: Cost realism will be significant only  
in proposals which have significantly under or over estimated the cost to  
complete their effort. All administrative correspondence and questions on this  
solicitation, including requests for information on how to submit a proposal  
abstract or proposal to this BAA, should be directed to one of the  
administrative addresses below, e-mail or fax is preferred. ARPA intends to
use  
electronic mail and fax for correspondence regarding BAA 95-15. The  
administrative addresses for this BAA are: Fax: 703-522-2668 Addressed to:  
ARPA/CSTO, BAA 95-15 Electronic Mail: baa9515 () arpa mil Mail: ARPA/CSTO, ATTN:  
BAA 95-15, 3701, N. Fairfax Drive, Arlington, VA 22203-1714 (0017)


SPONSOR: Advanced Research Projects Agency (ARPA), Contracts Management Office  
(CMO), 3701 North Fairfax Drive, Arlington, VA 22203-1714


SUBFILE: PSE (U.S. GOVERNMENT PROCUREMENTS, SERVICES)


SECTION HEADING: A Research and Development


PUBLICATION DATE: JANUARY 19, 1995


ISSUE: PSA-1266