N244-P03 TITLE: NAVWAR Open Topic for Advanced Data Integrity and Control Methods
OUSD (R&E) CRITICAL TECHNOLOGY AREA(S): Integrated Network Systems of Systems
The technology within this topic is restricted under the International Traffic in Arms Regulation (ITAR), 22 CFR Parts 120-130, which controls the export and import of defense-related material and services, including export of sensitive technical data, or the Export Administration Regulation (EAR), 15 CFR Parts 730-774, which controls dual use items. Offerors must disclose any proposed use of foreign nationals (FNs), their country(ies) of origin, the type of visa or work permit possessed, and the statement of work (SOW) tasks intended for accomplishment by the FN(s) in accordance with the Announcement. Offerors are advised foreign nationals proposed to perform on this topic may be restricted due to the technical data under US Export Control Laws.
OBJECTIVE: Develop a method to assure integrity, and control access and distribution for information on any device or network.
DESCRIPTION: The DoN requires the ability to securely move information from anywhere to anywhere. Once that information is delivered, the ability to assure integrity, control access, and limit further distribution becomes the critical capability. This topic seeks the development of technology that will provide for these critical capabilities independent from controls provided by networks, applications, platforms, or database technologies.
Traditionally, networks and applications have been the primary control method to assure integrity, control access, and limit distribution of information. The concept of Zero Trust aims to move the focus of protection to data elements, thus allowing much more flexibility and resiliency in the technology needed to connect people and things. Moving the protection boundary to data also frustrates malicious actors’ ability to gain access to information by compromising a position on a network and using that position to gain further access. To achieve this vison, concepts and technologies must be developed that can secure the most basic elements of our information in a way that enhances resiliency through distribution rather than centralization.
The current approach to Zero Trust implementation depends on applications and platforms to provide integrity and control of data. The DoN lacks the ability to universally control data independent of an application layer solution. The DoN is exploring methods to provide integrity and control of data, as an object independent of an application or platform. The DoN is aware of data format concepts such as the Intelligence Community Data Format (ICDF), and the Zero Trust Data Format (ZTDF) that embed control mechanisms into the elemental data object as a potential technical solution. The DoN is reviewing blockchain technology as a potential technical solution to maintain control of data independent of an application or platform environment. The DoN will use this NAVWAR Open Topic to explore other approaches we may not be aware of to assure the integrity and preserve access and proliferation control of data as the elemental object.
Proposed solutions must protect data independent of networks, applications, or database technologies, function in disrupted, disconnected, intermittent and low-bandwidth (DDIL) situations, and recover gracefully once connectivity is restored to normal. Solutions must not require the ability to reach a certain application or network to function.
Required Attributes:
PHASE I: The DoN is planning to issue multiple Phase I awards for this topic but reserves the right to issue no awards. Each Phase I proposal must include a Base and Option period of performance. The Phase I Base must have a period of performance of four (4) months at a cost not to exceed $75,000. The Phase I Option must have a period of performance of six (6) months at a cost not to exceed $100,000.
Phase I feasibility will show the Navy a design concept for data integrity and control, demonstrating all the required attributes listed in the description above. This concept will show the Navy how any information can be securely moved from anywhere to anywhere, while maintaining the integrity and control of the information post-delivery. Results of Phase I will be detailed in a final technical report (Final Report).
Phase I deliverables include:
- Kick-Off Briefing, due 15 days from start of Base award
- Final Report, due 120 days from start of Base award
- Quad Chart, due 120 days from start of Base award
- Initial Phase II Proposal, due 120 days from start of Base award
PHASE II: All Phase I awardees may submit an Initial Phase II proposal for evaluation and selection. The evaluation criteria for Phase II is the same as Phase I (as stated in this BAA). The Phase I Final Report and Initial Phase II Proposal will be used to evaluate the small business concern’s potential to adapt commercial products to fill a capability gap, improve performance, or modernize an existing capability for DoN and transition the technology to Phase III. Details on the due date, content, and submission requirements of the Initial Phase II Proposal will be provided by the awarding SYSCOM either in the Phase I contract or by subsequent notification.
The scope of the Phase II effort will be a small-scale deployment of the concept proposed in Phase I. Details of the performance goals will be defined in a Statement of Work (SoW) provided by the Navy. Phase II will be evaluated to prove or disprove the ability to control the integrity, access, and distribution of data independent of networks, applications, platforms, or database technology. The solution will aim to prove or disprove that protections are equal or better than current methods.
PHASE III DUAL USE APPLICATIONS: Phase III will be Integrating the capability demonstrated in Phase II with current Naval networks. Working with selected Naval network operators, the capability will be integrated and tested in operational settings. If Phase III efforts produce desirable results, the partner will develop a plan for further release within Naval elements, and to commercial network operators. Providing highly available, highly secure data without the complexity of applications, platforms, or networks is a desirable capability for anyone working with sensitive information. The concept of Zero Trust is applicable far beyond the defense domain, and protection at the data element level is a key outcome of the Zero Trust theory. Commercial operators implementing this solution will allow defense customers to make better use of commercial IT offerings.
REFERENCES:
KEYWORDS: Zero Trust; Data-Centric Security; Web3; Blockchain; Encryption; Network
TPOC-1: Keegan Mills
Email: [email protected]
** TOPIC Q&A NOTICE ** |
The Navy Topic above is an "unofficial" copy from the Navy Topics in the DoD 24.4 SBIR BAA. Please see the official DoD Topic website at www.dodsbirsttr.mil/submissions/solicitation-documents/active-solicitations for any updates. The DoD issued its Navy 24.4 Navy Open SBIR Topics pre-release on June 13, 2024 which opens to receive proposals on August 1, 2024, and closes September 4, 2024 (12:00pm ET). Direct Contact with Topic Authors: During the pre-release period (June 13, 2024 through July 31, 2024) proposing firms have an opportunity to directly contact (by the listed email or phone) the Technical Point of Contact (TPOC) to ask technical questions about the specific BAA topic only. Once DoD begins accepting proposals on August 1, 2024 no further direct contact between proposers and topic authors is allowed unless the Topic Author is responding to a question submitted during the Pre-release period. DoD Topic Q&A System: Questions may also be posed via the DoD Topic Q&A System until August 21, 2024 at 12:00 p.m. However, to ask a question on the Q&A system you must be registered on the DoD's DSIP site at www.dodsbirsttr.mil/submissions/login
|
| 8/17/24 | Q. | There is a conflict between NAVY_SBIR_244_r2.pdf and DoD_SBIR_244_Preface_08012024 regarding the disclosure of Foreign Affiliations.
The Navy document is supposed to supersede (take precedence) the DOD requirements and it requires mandatory submission of Attachment 2 in Volume 5 (Attachment 2 to be found in the DoD_SBIR_244 document). However the DoD_SBIR_244 document removed Attachment 2 when they updated it on Aug 1. It seems that the Navy document was not updated in a likewise manner.
Could you please confirm that the Navy DOES NOT require Attachment 2 in Volume 5 (as stated in Navy_SBIR_244_R2 (at the top of page NAVY-6). |
| A. | Please ensure you are reviewing Version 2 of the Navy SBIR 24.4 instruction, which was released at the Open date of the Open Topics in the DoD 24.4 BAA. Page NAVY-5 indicates that the Disclosures of Foreign Affiliations or Relationships to Foreign Countries is no longer a requirement of Volume 5. Page NAVY-6 details that the Disclosures of Foreign Affiliations or Relationships to Foreign Countries will be collected as Volume 7 of the proposal submission package within DSIP. | |
| 8/15/24 | Q. | The instructions state that “in order to be considered for award, a small business concern is required to implement NIST SP 800-171 and SHALL have a current assessment uploaded to the Supplier Performance Risk System”. We are SOC-2 compliant, but we have not done a SP 800-171 assessment yet. Is that strictly required BEFORE Phase 1, or can we get this done DURING phase 1 and before Phase 2? Thanks. |
| A. | In order to be considered for award (including Phase I award) a small business concern is required to implement NIST SP 800-171 and shall have a current assessment uploaded to SPRS. This is a self assessment. A Contracting Officer will confirm upload of the self assessment to SPRS prior to award. | |
| 8/5/24 | Q. | Given that Phase 1 is about showing the Navy “a design concept for data integrity and control”, do you expect to see in the Phase 1 Statement of Work (Base) section of Volume 2 (per the template) other deliverables than the four already listed in the topic call? Same question for the Option SoW, how detailed and granular should this be at this early stage? |
| A. | We are not expecting additional deliverables for Phase I. Phase I is abbreviated and primarily for feasibility determination. | |
| 8/3/24 | Q. | For this BAA, we are proposing SaaS and agnostic software for data analytics for tracking workflow, skills set, and any subject matter pertinent to a specific department. Would our SKIPS software fall into this DoN BAA category? |
| A. | It would depend on how that SaaS is delivered and resilient to disconnected states. I can't say from the description that it is or is not what we are searching for. | |
| 8/2/24 | Q. | In the “Required Attributes” list within the topic statement, the bullet point for “Resiliency to node or connectivity failures” is ambiguous. Are you referring to network nodes or some other type of node? Node or connectivity failures are typically managed through network routing. It is not clear what is intended by this requirement given that the topic is focused on data integrity and access control. Is this requirement saying that the data transport (layer 4 and above) must be resilient? Could you please clarify the requirement? |
| A. | Objective is to see distributed topology and resiliency to disconnected states. If we think of connectivity as an independent construct, the connectivity resiliency will be managed by what we call network today for the connectivity. A proposed solution may need similar constructs. | |
| 7/30/24 | Q. | Besudes ICDF, ZTDF, and blockchain, are there any other technical solutions as well you are considering now? |
| A. | These are generally the most forward leaning technologies/solutions we are looking at right now for enterprise use cases. | |
| 7/30/24 | Q. | Can you provide more context on the "rapid recovery/reconstitution capability" and list a potential scenario? |
| A. | These are generally the most forward leaning technologies/solutions we are looking at right now for enterprise use cases. | |
| 7/30/24 | Q. | How does the navy see this technology interacting with or complementing existing security infrastructure? |
| A. | We are looking for tools/methods that move the secure/operate/defend mission closer to the object. We see this as a natural evolution of a connected space. | |
| 7/30/24 | Q. | Are there performance expectations in DDIL situations? If so, what are they or how will they be measured. |
| A. | Yes, what we are looking for is something that does not rely on a single point of control. | |
| 7/30/24 | Q. | What are the current limitations or pain points with existing Zero Trust implementations that this new approach aims to address? (i.e. specific use cases that arent listed inside of the proposal: object independant, etc.) |
| A. | Current ZT implementations rely on applications / platforms to supply the security and control of data. Removing the data from the platform removes the data control. Looking for new methods to control data. | |
| 6/26/24 | Q. | Our solution promotes zero trust but it performs only one specific task in communication (credential verification), will it be eligible? |
| A. | This topic is looking for technology and/or methodology to control data independent of specific platforms or applications. Credential verification may be a component but would need to be combined with other tools / methods to answer our objective. We are also looking at novel ideas for identity verification in general. Perhaps credentials are not the only method. |