PowerPoint Presentation - Security Innovation Network

erosjellySécurité

23 févr. 2014 (il y a 3 années et 3 mois)

76 vue(s)

Douglas
Maughan

Division Director, Cyber Security Division

Homeland Security Advanced Research Projects Agency (HSARPA)

Department of Homeland Security (DHS) Science and Technology (S&T)

Obtaining Federal Research Funding

Understanding the Landscape

Contracting

Small Business Programs

Larger R&D Solicitations

Summary / Q&A

Federal Cyber Research Community

Agency / Org

Research Agenda

Researchers

Customers /
Consumers

National Science
Foundation (NSF)

Broad range of cyber security
topics; Several academic centers

Academics and Non
-
Profits

Basic Research
-

No
specific customers

Defense Advanced
Research Projects
Agency (DARPA)

Mostly classified; unclassified
topics are focused on MANET
solutions

Few academics; large
system integrators;
research and government
labs

Mostly DOD; most
solutions are GOTS, not
COTS

National Security Agency
(NSA)

SELinux; Networking theory;
CAEIAE centers

Mostly in
-
house

Intelligence community;
some NSA internal; some
open source

Intelligence Advanced
Research Projects
Agency (IARPA)

Accountable Information Flow
(AIF); Large Scale System
Defense (LSSD); Privacy
Protection Technologies (PPT)

Mostly research labs,
system integrators, and
national labs; Some
academics

Intelligence community

Department of Homeland
Security (DHS) S&T

All unclassified; Secure Internet
Protocols; Process Control
Systems (PCS), Emerging
Threats, Insider Threat, Cyber
Forensics; Open Security
Technologies, Next Generation
Technologies

Blend of academics,
research and government
labs, non
-
profits, private
sector and small business

DHS Components
(including NPPD, NCSC,
USCG, FLETC and
USSS); CI/KR Sectors;
USG and Internet

Increasing your success rate getting Federal
R&D support

Understand your client


Federal agencies have distinctly different characters


Different missions


Different processes


Federal agencies are not charities


Money is appropriated to them for specific purposes


You will be more successful if you can explain why your proposed R&D
supports their mission


Identify requirements


Develop program plan and allocate resources


Communicate plans and priorities to technical
community



Posting Solicitations


Solicitation Process


White Papers


Submitting proposals


Different programs demand
different contract vehicles


Flexibility used to match mission


Programs tailored to meet
unique conditions of
objectives


Active interaction with
performers

Execution

Contract

Solicitation

Planning

Federal R&D Process

Federal R&D Programs

A program is led by a Program Manager(PM)

A program will have:


Specific Technology Objectives aligned with customer needs which, if
achieved, will have a significant operational impact


Plan to move from current level of technical maturity to a higher level
(e.g., For DOD it’s TRLs


Technology Readiness Levels)


A technical approach indicating how the objectives will be achieved


A program structure indicating how the PM has deployed resources
(time, money, executors) to achieve the objectives


Deliverables


Transition Strategy/Technology Development Path

Relationship with the Program Manager

PM wants to leverage existing technology, others’ R&D
investment and market pull

PM wants the intellectual property strategy aligned with transition
plan, but will
(usually) negotiate

PM’s job is to manage technical and programmatic risk and
WANTS YOU TO SUCCEED

The PM is a resource for you in accomplishing the R&D and in
transitioning to the (government) customer

Mechanics of Proposing R&D


Find agencies with closest mission match


Identify R&D element(s) within the agencies


Look for existing R&D solicitations (Money already exists for these
efforts!)


Do your homework
(
LOOK AT PREVIOUS SOLICITATIONS
, read
website, workshop results, and any presentations on your target
program solicitation)


Respond to solicitation carefully


meet all administrative
requirements and make sure your R&D matches the stated program
needs


If no solicitation, contact R&D PM. Explain relevance to his/her
mission. Be patient. Be persistent.

Contracting Vehicles

The Government has a range of contracting vehicles
to match programmatic needs and contractor
character.


Grants


Contracts


Cooperative agreements


Other Transactions for Research or Prototypes


Allows government to deal with non
-
traditional contractors who have
desirable technologies, but do not want to keep “Government books”


Must comply with “generally acceptable accounting principles”

R&D Proposals

Team approach (technical & business)


Consider hiring government contracting specialist

Cost realism

Cost
or Price
Analysis

Contract Types for R&D

Cost or Price Analysis

Level of Complexity Will Vary


Contract Type


Dollar Value

The Basis of Your Proposal Costs


Be Prepared to Provide Backup Data

Indirect Rate Structure

Fee/Profit

Business Capabilities

Financial Audit


Proposal Costs


Accounting System


Estimating System


Financial Capabilities

Past
Performance

NOTE: If you’ve never had a government contract,
consider talking with DCAA sooner rather than later.

DCAA = Defense Contract Audit Agency

The Normal Contract

Terms


Read & Understand Your Contract


Contract Line Items/Deliverables


Contract Clauses

Performance


Proposal
-

What did you say you would do?


Deliverables
-

Due Dates


Acceptance
-

How Accomplished

Payment


Invoicing Procedures and Certification


Prompt Payment Act


Limitation of Funds/Limitation of Cost

Helpful Contracting Websites

http://www.dcaa.mil/dcaap7641.90.pdf


http://www.sba.gov/services/contractingopportunities


http://farsite.hill.af.mil


http://acquisition.gov/far/index.html

Programs for U. S. Small Business

Small Business Innovation Research (SBIR)


Set
-
aside program for small business concerns to engage in federal
R&D
--

with potential for commercialization

Small Business Technology Transfer (STTR)


Set
-
aside program to facilitate cooperative R&D between small
business concerns and research institutions
--

with potential for
commercialization

2.5%

.3%

PHASE I


Feasibility Study


$100K (in general) and 6 month effort


PHASE III


Commercialization Stage


Use of non
-
SBIR Funds

PHASE II


Full Research/R&D


$750K and 24 month effort


Commercialization plan required

SBIR
-

A 3 Phase Program

Which Government Agencies?

Both SBIR/STTR


Defense


Health & Human Services


NASA


DOE


NSF


DHS


SBIR only


DOA


DOC


ED


EPA


DOT


NIH

Agency SBIR Differences

Number and timing of solicitations

R&D Topic Areas


Broad vs. Focused

Dollar Amount of Award (Phase I and II)

Proposal preparation instructions

Financial details (e.g., Indirect Cost Rates)

Proposal review process

Proposal success rates

Types of award

Commercialization assistance


And more…………

Agency Differences

ALWAYS CHECK WITH
AGENCIES

SBIR Program: Small Business Concern
Eligibility


Organized for
-
profit


place of business located in the U.S.,


operates primarily
within
the U.S.,


or which makes significant contribution to the U.S. economy through
payment of taxes or use of American products, materials or labor


Is in the legal form of an individual proprietorship, partnership,
limited liability company, corporation, joint venture, association,
trust or cooperative


where
the form is a joint venture, there can be no more than 49%
participation by business entities in the joint venture

SBIR Program: Small Business Concern
Eligibility (Continued)

Fewer than 500 employees, including affiliates


Principal Investigator’s (PI) primary employment must
be with the small business concern at the time of
award and for the duration of the project
period


Significant amount of PIs time will be devoted to the
SBIR effort

Performance of R&D Activities

“All research/R&D must be performed in its entirety in
the U.S.”


Rare cases to conduct testing of specific patient
populations
outside
U.S. is allowable

Travel to scientific meeting in foreign country is allowable

Foreign consultants/collaborators allowable, but must
perform
consulting
in U.S.


Intellectual Property, Data Rights and the SBIR
Program

As with all contracts, pursuant to the
Bayh
-
Dole Act, an SBIR
contractor can elect title to inventions discovered under the SBIR
contract (FAR 52.227
-
11)


The Small Business Act (15 U.S.C. 631(j)(2)(A)) provides for
retention by an SBIR
awardee

of the rights to data generated by
the concern in the performance of an SBIR award


protection of SBIR data is intended to provide incentive for further
development or commercialization of technology by the SBIR
awardee

If you don’t understand the IPR issues, get help!!

Intellectual Property, Data Rights and the SBIR
Program
-
2

The SBIR Program is an instance in which government funds are
to be
used to create data protected from disclosure, and
therefore, has its own rights in data clause (FAR 52.227
-
20
)



As a result, the government must protect from disclosure and non
-
governmental use “SBIR data”, technical data, and computer software
first produced under a SBIR funding agreement and properly marked


The
period of protection under the FAR is four years from delivery of
the last deliverable under that agreement (either Phase I, Phase II, or
a Federally
-
funded SBIR Phase III)


P
rotections
against disclosure of data from one phase may extend to
four years after subsequent SBIR awards if properly recognized in
subsequent awards

DHS S&T SBIR Evaluation Criteria

The soundness, technical merit, and innovation of the
proposed
approach and its progress toward topic
solution


The qualifications of the proposed principal
investigators, supporting staff, and consultants


Qualifications include not only the ability to perform the research and
development but also the ability to commercialize the results


The potential for commercial (government or private
sector) application and the benefits expected to
accrue

from this commercialization

Proposal Submissions by Size of
Company
(
FY04.2


FY10.2 data
)

4%
39%
22%
11%
9%
13%
2%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
1
2-9
10-24
25-49
50-99
100-249
250-500
Number of Employees

DHS SBIR Phase I

Data from 14 Competitions through FY10.2*

MA
269/
55

Total Phase I
Submissions/
Awards

2,608/
423

* Includes STTR data

HI
17/
3

OR

22/
5

WA

51/
12

AK

3/
1

CA

535/
104


NV

17/
1

ID

8/
0

MT

9/
2

ND

1/
0

SD

2/
0

NE

7/
1

KS

6/
1

WY

2/
0

UT

28/
7

CO

68/
10

AZ

46/
10

NM

42/
7

TX

140/
23

OK

10/
3

MN

41/
7

WI

13/
2

IA

4/
0

MO

19/
2

AR

3/
0

LA

19/
2

MI

70/
9

IL

49/
6

IN

35/
3

OH

49/
1

PA 63/
8

KY
10/
1

TN
19/
1

VA

239/
35


NC 32/
5

SC

8/
1

GA

39/
3

FL

93/
11

AL

48/
7

MS

5/
0


WV

10/
1

NY

101/
28

ME

11/
0

NH

25/
6

VT

10/
1

RI 7/
1

CT
47/
8

NJ 69/
6

DE 9/
0

MD 169/
23

PR 3/
0

DC 6/
0

Small Business Innovative Research
(SBIR)

Since 2004, DHS S&T Cyber Security
Program has had:


47 Phase I efforts


22 Phase II efforts


5
efforts currently in progress


8 commercial products available


Three acquisitions


Komoku
, Inc. (MD) acquired by Microsoft in March 2008


Endeavor Systems (VA) acquired by McAfee in January 2009


Solidcore

(CA) acquired by McAfee in June 2009

Added Bonus
-

Cost Match

Allows small businesses to seek additional funding for Phase II
projects from non
-
SBIR sources

Minimum of $100,000 to maximum of $500,000 of outside
funding

Matched by DHS SBIR up to $250,000 in a 1:2 ratio

Additional funds require additional scope


need to either add
R&D on SBIR contract or other development and
commercialization activities (or some of both)

Cost match is a motivator for, and an indicator of, commercial
potential

The DoD IA Research Community

NSA


ONR


AFRL


ARL


National IA

NRL


AFOSR


ARO

Research Lab

Academia

Industry


SBIRs are funded by DDR&E, DARPA, the
Services and Agencies

DARPA

DDR&E Small Business Innovative Research
(SBIR) Program

Cyber Security awards since 2007
-

present


123 Phase I awards


39 Phase II awards


Roughly $11 M per year DDR&E awards

Annual SBIR Workshop


Last on was 20
-
22 July 2010; Next one is 12
-
14 July 2011 in
WDC


Links government, SBIR researchers, prime contractors


150
participants


Includes SBIR & STTR

DOD DDR&E SBIR topics


OSD10
-
IA1 Countermeasures to Malicious
Hardware to Improve Software Protection Systems


OSD10
-
IA2 Effective Portable Data Content
Inspection and Sanitization


OSD10
-
IA3 Robust and Effective Anti
-
Phishing
Techniques


OSD10
-
IA4 Preventing Sensitive Information and
Malicious Traffic from Leaving Computers


OSD10
-
IA5 Biometric
-
based Computer
Authentication during Mission
-
Oriented Protective
Posture Scenarios


Useful Web Sites




https://sbir.dhs.gov





www.baa.st.dhs.gov





www.dhs.gov





www.dhs.gov/xopnbiz/





www.fedbizopps.gov





www.sbir.gov



Useful Web Sites and

DHS S&T Directorate SBIR Point of Contact


Elissa (Lisa) Sobolewski

DHS SBIR Program Director

elissa.sobolewski@dhs.gov


(202) 254
-
6768


S&T SBIR Program Email:

STSBIR.PROGRAM@dhs.gov




Broad Agency Announcements (BAAs)

http://baa.st.dhs.gov

R&D funding model that delivers both near
-
term and
medium
-
term solutions:


To
develop new and enhanced technologies

for the detection of,
prevention of, and response to cyber attacks on the nation’s critical
information infrastructure.


To perform research and development (R&D) aimed at
improving
the security of existing deployed technologies

and to ensure the
security of new emerging systems;


To
facilitate the transfer

of these technologies into the national
infrastructure as a matter of urgency.

Past Solicitations

http://baa.st.dhs.gov

Left hand side


Past Solicitations

Look for BAA 07
-
09 and BAA 04
-
17

Review BAA, any modifications or amendments,
presentations, etc.

BAA Program / Proposal Structure

Type I (New Technologies)


New technologies with an applied research phase, a development
phase, and a deployment phase (optional)


Funding not to exceed 36 months (including deployment phase)

Type II (Prototype Technologies)


More mature prototype technologies with a development phase and a
deployment phase (optional)


Funding not to exceed 24 months (including deployment phase)

Type III (Mature Technologies)


Mature technology with a deployment phase only.


Funding not to exceed 12 months

BAA 07
-
09 Technical Topic Areas

Botnets and Other Malware: Detection and Mitigation

Composable and Scalable Secure Systems

Cyber Security Metrics

Network Data Visualization for Information Assurance

Internet Tomography / Topography

Routing Security Management Tool

Process Control System Security


Secure and Reliable Wireless Communication for Control Systems


Real
-
Time Security Event Assessment and Mitigation

Data Anonymization Tools and Techniques

Insider Threat Detection and Mitigation

BAA 07
-
09 White Papers

Type I
Type II
Type III
TOTALS
TTA 1
56
48
11
115
TTA 2
85
47
15
147
TTA 3
51
22
8
81
TTA 4
36
29
10
75
TTA 5
21
12
4
37
TTA 6
10
8
5
23
TTA 7
43
31
13
87
TTA 8
22
16
4
42
TTA 9
49
30
15
94
TOTALS
373
243
85
701
36 months
24 months
12 months
Type I
Type II
Type III
TOTALS
TTA 1
30
25
6
61
TTA 2
49
33
7
89
TTA 3
23
10
2
35
TTA 4
17
18
4
39
TTA 5
10
5
1
16
TTA 6
3
4
2
9
TTA 7
27
16
7
50
TTA 8
10
7
1
18
TTA 9
24
16
6
46
TOTALS
193
134
36
363
Registrations Received

Submissions Received

BAA 07
-
09 Full Proposal Statistics

FULL PROPOSALS
Type I
Type II
Type III
TOTALS
TTA 1
5
4
3
12
TTA 2
5
7
0
12
TTA 3
2
3
1
6
TTA 4
4
5
0
9
TTA 5
3
0
0
3
TTA 6
2
2
1
5
TTA 7
5
2
1
8
TTA 8
1
1
0
2
TTA 9
3
3
0
6
TOTALS
30
27
6
63
80 offerors were encouraged to submit Full Proposals based on
the White Paper reviews; 63 of those offerors submitted Full
Proposals.

AWARD

SUMMARY

Type I


6

Type II


9

Type III


2


LEADS

Academic


6

Industry


10

Labs


1

41

12 CNCI Projects

Reduce the Number
of Trusted Internet
Connections

Deploy Passive
Sensors Across
Federal Systems

Pursue Deployment
of Automated
Defense Systems

Coordinate and
Redirect R&D Efforts

Establish a front line of defense

Connect Current
Centers to Enhance
Situational Awareness

Develop
Gov’t
-
wide
Counterintelligence
Plan for Cyber

Increase Security of
the Classified
Networks

Expand Education

Resolve to secure cyberspace / set conditions for long
-
term success

Define and Develop
Enduring Leap Ahead
Technologies,
Strategies & Programs

Define and Develop
Enduring Deterrence
Strategies & Programs

Manage Global
Supply Chain Risk

Cyber Security in
Critical Infrastructure
Domains

Shape future environment / secure U.S. advantage / address new threats

CNCI = Comprehensive National Cyber Initiative

National Cyber Leap Year (NCLY)

RFI


1: Generic, wide
-
open


Received over 160 responses; created 9 research areas


Attribution, Cyber Economics, Disaster Recovery, Network Ecology, Policy
-
based Configuration,
Randomization/Moving Target, Secure Data, Software Assurance, Virtualization

RFI


2: Same as RFI
-
1, but providing IP protection


Received over 30 responses

RFI


3: Requested submissions only in 9 research areas above


Received over 40 responses

National Cyber Leap Year (NCLY) Summit


August 17
-
19, 2009


Results posted on http://www.nitrd.gov

NCLY Summit Topics

Cyber economics

Digital provenance

Hardware enabled trust

Moving target defense

Nature inspired cyber defense


Expectation: Agencies will include these topics in
future solicitations

Cyber Economics

Enable
trusted repositories of data
and metrics to
allow economic analysis

Theories, models
, and scientific understanding of
cyber economics

Environment for training users and allowing controls of
personal data

Tools to empower service providers in the defense of
their infrastructure

Digital Provenance

Develop new mechanisms for digital provenance
definitions and management

Create technologies allowing
stable and trustworthy
entity identity

Advance
data security techniques for provenance
of data from creation to destruction

Hardware Enabled Trust

Create new resilient (diversity, redundancy, recovery)
hardware

Hardware
defenses for hardware attacks

Develop new
trustworthy data storage
architectures and technologies


Moving Target Defense

Technologies
allowing a
shift from reactive security postures
to active preemptive postures

Create and develop manageable moving target mechanisms that
create disruption for the adversaries, but not for the legitimate
users

Techniques to analyze the effectiveness of MT mechanisms

against various attacks and disruptions

Solutions that increase the ability to observe, shape, and expose
the actions of adversaries as they attempt to evade and break
MT mechanisms

Nature Inspired Cyber Defense

Improve current distributed network defenses to react
more quickly

Create technologies that provide
evolving system
immunity
to attacks

Establish a Cyber
-
CDC (global cyber information
sharing)

Analyze legal aspects associated with active cyber
defense

A Roadmap for Cybersecurity Research

http://www.cyber.st.dhs.gov


Scalable Trustworthy Systems


Enterprise Level Metrics


System Evaluation Lifecycle


Combatting Insider Threats


Combatting Malware and Botnets


Global
-
Scale Identity Management


Survivability of Time
-
Critical Systems


Situational Understanding and Attack
Attribution


Information Provenance


Privacy
-
Aware Security


Usable Security


Roadmap Content

What is the problem being addressed?

What are the potential threats?

Who are the potential beneficiaries? What are their
respective needs?

What is the current state of practice?

What is the status of current research?

What are the research gaps?

What challenges must be addressed?

What resources are needed?

How do we test & evaluate solutions?

What are the measures of success?

Summary

Learn about the agencies, their missions, and meet
the Program Managers

Build your team to deliver


consider including
contracting personnel

Understand the opportunities


SBIR, STTR, BAA,
CNCI R&D, RFP (not discussed in this presentation)

Douglas Maughan, Ph.D.

Division Director

Cyber Security Division

Homeland Security Advanced
Research Projects Agency (HSARPA)

douglas.maughan@dhs.gov

202
-
254
-
6145 / 202
-
360
-
3170

For more information, visit

http://www.cyber.st.dhs.gov