Douglas Maughan Division Director, Cyber Security Division Homeland Security Advanced Research Projects Agency (HSARPA) Department of Homeland Security (DHS) Science and Technology (S&T)
Obtaining Federal Research Funding Understanding the Landscape Contracting Small Business Programs Larger R&D Solicitations Summary / Q&A
Federal Cyber Research Community Agency / OrgResearch AgendaResearchers Customers / Consumers National Science Foundation (NSF) Broad range of cyber security topics; Several academic centers Academics and Non- Profits Basic Research - No specific customers Defense Advanced Research Projects Agency (DARPA) Mostly classified; unclassified topics are focused on MANET solutions Few academics; large system integrators; research and government labs Mostly DOD; most solutions are GOTS, not COTS National Security Agency (NSA) SELinux; Networking theory; CAEIAE centers Mostly in-houseIntelligence community; some NSA internal; some open source Intelligence Advanced Research Projects Agency (IARPA) Accountable Information Flow (AIF); Large Scale System Defense (LSSD); Privacy Protection Technologies (PPT) Mostly research labs, system integrators, and national labs; Some academics Intelligence community Department of Homeland Security (DHS) S&T All unclassified; Secure Internet Protocols; Process Control Systems (PCS), Emerging Threats, Insider Threat, Cyber Forensics; Open Security Technologies, Next Generation Technologies Blend of academics, research and government labs, non-profits, private sector and small business DHS Components (including NPPD, NCSC, USCG, FLETC and USSS); CI/KR Sectors; USG and Internet
Increasing your success rate getting Federal R&D support Understand your client Federal agencies have distinctly different characters Different missions Different processes Federal agencies are not charities Money is appropriated to them for specific purposes You will be more successful if you can explain why your proposed R&D supports their mission
Identify requirements Develop program plan and allocate resources Communicate plans and priorities to technical community Posting Solicitations Solicitation Process – White Papers Submitting proposals Different programs demand different contract vehicles Flexibility used to match mission Programs tailored to meet unique conditions of objectives Active interaction with performers ExecutionContractSolicitationPlanning Federal R&D Process
Federal R&D Programs A program is led by a Program Manager(PM) A program will have: Specific Technology Objectives aligned with customer needs which, if achieved, will have a significant operational impact Plan to move from current level of technical maturity to a higher level (e.g., For DOD it’s TRLs – Technology Readiness Levels) A technical approach indicating how the objectives will be achieved A program structure indicating how the PM has deployed resources (time, money, executors) to achieve the objectives Deliverables Transition Strategy/Technology Development Path
Relationship with the Program Manager PM wants to leverage existing technology, others’ R&D investment and market pull PM wants the intellectual property strategy aligned with transition plan, but will (usually) negotiate PM’s job is to manage technical and programmatic risk and WANTS YOU TO SUCCEED The PM is a resource for you in accomplishing the R&D and in transitioning to the (government) customer
Mechanics of Proposing R&D Find agencies with closest mission match Identify R&D element(s) within the agencies Look for existing R&D solicitations (Money already exists for these efforts!) Do your homework (LOOK AT PREVIOUS SOLICITATIONS, read website, workshop results, and any presentations on your target program solicitation) Respond to solicitation carefully – meet all administrative requirements and make sure your R&D matches the stated program needs If no solicitation, contact R&D PM. Explain relevance to his/her mission. Be patient. Be persistent.
Contracting Vehicles The Government has a range of contracting vehicles to match programmatic needs and contractor character. Grants Contracts Cooperative agreements Other Transactions for Research or Prototypes Allows government to deal with non-traditional contractors who have desirable technologies, but do not want to keep “Government books” Must comply with “generally acceptable accounting principles”
R&D Proposals Team approach (technical & business) Consider hiring government contracting specialist Cost realism Cost or Price Analysis Contract Types for R&D
Cost or Price Analysis Level of Complexity Will Vary Contract Type Dollar Value The Basis of Your Proposal Costs Be Prepared to Provide Backup Data Indirect Rate Structure Fee/Profit
Business Capabilities Financial Audit Proposal Costs Accounting System Estimating System Financial Capabilities Past Performance NOTE: If you’ve never had a government contract, consider talking with DCAA sooner rather than later. DCAA = Defense Contract Audit Agency
The Normal Contract Terms Read & Understand Your Contract Contract Line Items/Deliverables Contract Clauses Performance Proposal - What did you say you would do? Deliverables - Due Dates Acceptance - How Accomplished Payment Invoicing Procedures and Certification Prompt Payment Act Limitation of Funds/Limitation of Cost
Programs for U. S. Small Business Small Business Innovation Research (SBIR) Set-aside program for small business concerns to engage in federal R&D --with potential for commercialization Small Business Technology Transfer (STTR) Set-aside program to facilitate cooperative R&D between small business concerns and research institutions -- with potential for commercialization 2.5%.3%
PHASE I Feasibility Study $100K (in general) and 6 month effort PHASE III Commercialization Stage Use of non-SBIR Funds PHASE II Full Research/R&D $750K and 24 month effort Commercialization plan required SBIR - A 3 Phase Program
Which Government Agencies? Both SBIR/STTR Defense Health & Human Services NASA DOE NSF DHS SBIR only DOA DOC ED EPA DOT NIH
Agency SBIR Differences Number and timing of solicitations R&D Topic Areas – Broad vs. Focused Dollar Amount of Award (Phase I and II) Proposal preparation instructions Financial details (e.g., Indirect Cost Rates) Proposal review process Proposal success rates Types of award Commercialization assistance And more…………
SBIR Program: Small Business Concern Eligibility Organized for-profit place of business located in the U.S., operates primarily within the U.S., or which makes significant contribution to the U.S. economy through payment of taxes or use of American products, materials or labor Is in the legal form of an individual proprietorship, partnership, limited liability company, corporation, joint venture, association, trust or cooperative where the form is a joint venture, there can be no more than 49% participation by business entities in the joint venture
SBIR Program: Small Business Concern Eligibility (Continued) Fewer than 500 employees, including affiliates Principal Investigator’s (PI) primary employment must be with the small business concern at the time of award and for the duration of the project period Significant amount of PIs time will be devoted to the SBIR effort
Performance of R&D Activities “All research/R&D must be performed in its entirety in the U.S.” Rare cases to conduct testing of specific patient populations outside U.S. is allowable Travel to scientific meeting in foreign country is allowable Foreign consultants/collaborators allowable, but must perform consulting in U.S.
Intellectual Property, Data Rights and the SBIR Program As with all contracts, pursuant to the Bayh-Dole Act, an SBIR contractor can elect title to inventions discovered under the SBIR contract (FAR 52.227-11) The Small Business Act (15 U.S.C. 631(j)(2)(A)) provides for retention by an SBIR awardee of the rights to data generated by the concern in the performance of an SBIR award protection of SBIR data is intended to provide incentive for further development or commercialization of technology by the SBIR awardee If you don’t understand the IPR issues, get help!!
Intellectual Property, Data Rights and the SBIR Program-2 The SBIR Program is an instance in which government funds are to be used to create data protected from disclosure, and therefore, has its own rights in data clause (FAR 52.227-20) As a result, the government must protect from disclosure and non- governmental use “SBIR data”, technical data, and computer software first produced under a SBIR funding agreement and properly marked The period of protection under the FAR is four years from delivery of the last deliverable under that agreement (either Phase I, Phase II, or a Federally-funded SBIR Phase III) Protections against disclosure of data from one phase may extend to four years after subsequent SBIR awards if properly recognized in subsequent awards
DHS S&T SBIR Evaluation Criteria The soundness, technical merit, and innovation of the proposed approach and its progress toward topic solution The qualifications of the proposed principal investigators, supporting staff, and consultants Qualifications include not only the ability to perform the research and development but also the ability to commercialize the results The potential for commercial (government or private sector) application and the benefits expected to accrue from this commercialization
Proposal Submissions by Size of Company ( FY04.2 – FY10.2 data ) Number of Employees
DHS SBIR Phase I Data from 14 Competitions through FY10.2* MA 269/55 Total Phase I Submissions/Awards 2,608/423 * Includes STTR data HI 17/3 OR 22/5 WA 51/12 AK 3/1 CA 535/104 NV 17/1 ID 8/0 MT 9/2 ND 1/0 SD 2/0 NE 7/1 KS 6/1 WY 2/0 UT 28/7 CO 68/10 AZ 46/10 NM 42/7 TX 140/23 OK 10/3 MN 41/7 WI 13/2 IA 4/0 MO 19/2 AR 3/0 LA 19/2 MI 70/9 IL 49/6 IN 35/3 OH 49/1 PA 63/8 KY 10/1 TN 19/1 VA 239/35 NC 32/5 SC 8/1 GA 39/3 FL 93/11 AL 48/7 MS 5/0 WV 10/1 NY 101/28 ME 11/0 NH 25/6 VT 10/1 RI 7/1 CT 47/8 NJ 69/6 DE 9/0 MD 169/23 PR 3/0 DC 6/0
Small Business Innovative Research (SBIR) Since 2004, DHS S&T Cyber Security Program has had: 47 Phase I efforts 22 Phase II efforts 5 efforts currently in progress 8 commercial products available Three acquisitions Komoku, Inc. (MD) acquired by Microsoft in March 2008 Endeavor Systems (VA) acquired by McAfee in January 2009 Solidcore (CA) acquired by McAfee in June 2009
Added Bonus - Cost Match Allows small businesses to seek additional funding for Phase II projects from non-SBIR sources Minimum of $100,000 to maximum of $500,000 of outside funding Matched by DHS SBIR up to $250,000 in a 1:2 ratio Additional funds require additional scope – need to either add R&D on SBIR contract or other development and commercialization activities (or some of both) Cost match is a motivator for, and an indicator of, commercial potential
The DoD IA Research Community NSAONRAFRLARL National IANRLAFOSRARO Research Lab Academia Industry SBIRs are funded by DDR&E, DARPA, the Services and Agencies DARPA
DDR&E Small Business Innovative Research (SBIR) Program Cyber Security awards since 2007 - present 123 Phase I awards 39 Phase II awards Roughly $11 M per year DDR&E awards Annual SBIR Workshop Last on was 20-22 July 2010; Next one is 12-14 July 2011 in WDC Links government, SBIR researchers, prime contractors 150 participants Includes SBIR & STTR
DOD DDR&E SBIR topics OSD10-IA1 Countermeasures to Malicious Hardware to Improve Software Protection Systems OSD10-IA2 Effective Portable Data Content Inspection and Sanitization OSD10-IA3 Robust and Effective Anti-Phishing Techniques OSD10-IA4 Preventing Sensitive Information and Malicious Traffic from Leaving Computers OSD10-IA5 Biometric-based Computer Authentication during Mission-Oriented Protective Posture Scenarios
Useful Web Sites https://sbir.dhs.govhttps://sbir.dhs.gov www.baa.st.dhs.govwww.baa.st.dhs.gov www.dhs.govwww.dhs.gov www.dhs.gov/xopnbiz/www.dhs.gov/xopnbiz/ www.fedbizopps.govwww.fedbizopps.gov www.sbir.govwww.sbir.gov Useful Web Sites and DHS S&T Directorate SBIR Point of Contact Elissa (Lisa) Sobolewski DHS SBIR Program Director firstname.lastname@example.org (202) 254-6768 S&T SBIR Program Email: STSBIR.PROGRAM@dhs.gov
Broad Agency Announcements (BAAs) http://baa.st.dhs.gov R&D funding model that delivers both near-term and medium-term solutions: To develop new and enhanced technologies for the detection of, prevention of, and response to cyber attacks on the nation’s critical information infrastructure. To perform research and development (R&D) aimed at improving the security of existing deployed technologies and to ensure the security of new emerging systems; To facilitate the transfer of these technologies into the national infrastructure as a matter of urgency.
Past Solicitations http://baa.st.dhs.gov Left hand side – Past Solicitations Look for BAA 07-09 and BAA 04-17 Review BAA, any modifications or amendments, presentations, etc.
BAA Program / Proposal Structure Type I (New Technologies) New technologies with an applied research phase, a development phase, and a deployment phase (optional) Funding not to exceed 36 months (including deployment phase) Type II (Prototype Technologies) More mature prototype technologies with a development phase and a deployment phase (optional) Funding not to exceed 24 months (including deployment phase) Type III (Mature Technologies) Mature technology with a deployment phase only. Funding not to exceed 12 months
BAA 07-09 Technical Topic Areas Botnets and Other Malware: Detection and Mitigation Composable and Scalable Secure Systems Cyber Security Metrics Network Data Visualization for Information Assurance Internet Tomography / Topography Routing Security Management Tool Process Control System Security Secure and Reliable Wireless Communication for Control Systems Real-Time Security Event Assessment and Mitigation Data Anonymization Tools and Techniques Insider Threat Detection and Mitigation
BAA 07-09 White Papers Registrations Received Submissions Received
BAA 07-09 Full Proposal Statistics 80 offerors were encouraged to submit Full Proposals based on the White Paper reviews; 63 of those offerors submitted Full Proposals. AWARD SUMMARY Type I – 6 Type II – 9 Type III – 2 LEADS Academic – 6 Industry – 10 Labs – 1
41 12 CNCI Projects Reduce the Number of Trusted Internet Connections Deploy Passive Sensors Across Federal Systems Pursue Deployment of Automated Defense Systems Coordinate and Redirect R&D Efforts Establish a front line of defense Connect Current Centers to Enhance Situational Awareness Develop Gov’t-wide Counterintelligence Plan for Cyber Increase Security of the Classified Networks Expand Education Resolve to secure cyberspace / set conditions for long-term success Define and Develop Enduring Leap Ahead Technologies, Strategies & Programs Define and Develop Enduring Deterrence Strategies & Programs Manage Global Supply Chain Risk Cyber Security in Critical Infrastructure Domains Shape future environment / secure U.S. advantage / address new threats CNCI = Comprehensive National Cyber Initiative
National Cyber Leap Year (NCLY) RFI – 1: Generic, wide-open Received over 160 responses; created 9 research areas Attribution, Cyber Economics, Disaster Recovery, Network Ecology, Policy-based Configuration, Randomization/Moving Target, Secure Data, Software Assurance, Virtualization RFI – 2: Same as RFI-1, but providing IP protection Received over 30 responses RFI – 3: Requested submissions only in 9 research areas above Received over 40 responses National Cyber Leap Year (NCLY) Summit August 17-19, 2009 Results posted on http://www.nitrd.gov
NCLY Summit Topics Cyber economics Digital provenance Hardware enabled trust Moving target defense Nature inspired cyber defense Expectation: Agencies will include these topics in future solicitations
Cyber Economics Enable trusted repositories of data and metrics to allow economic analysis Theories, models, and scientific understanding of cyber economics Environment for training users and allowing controls of personal data Tools to empower service providers in the defense of their infrastructure
Digital Provenance Develop new mechanisms for digital provenance definitions and management Create technologies allowing stable and trustworthy entity identity Advance data security techniques for provenance of data from creation to destruction
Hardware Enabled Trust Create new resilient (diversity, redundancy, recovery) hardware Hardware defenses for hardware attacks Develop new trustworthy data storage architectures and technologies
Moving Target Defense Technologies allowing a shift from reactive security postures to active preemptive postures Create and develop manageable moving target mechanisms that create disruption for the adversaries, but not for the legitimate users Techniques to analyze the effectiveness of MT mechanisms against various attacks and disruptions Solutions that increase the ability to observe, shape, and expose the actions of adversaries as they attempt to evade and break MT mechanisms
Nature Inspired Cyber Defense Improve current distributed network defenses to react more quickly Create technologies that provide evolving system immunity to attacks Establish a Cyber-CDC (global cyber information sharing) Analyze legal aspects associated with active cyber defense
A Roadmap for Cybersecurity Research http://www.cyber.st.dhs.gov Scalable Trustworthy Systems Enterprise Level Metrics System Evaluation Lifecycle Combatting Insider Threats Combatting Malware and Botnets Global-Scale Identity Management Survivability of Time-Critical Systems Situational Understanding and Attack Attribution Information Provenance Privacy-Aware Security Usable Security
Roadmap Content What is the problem being addressed? What are the potential threats? Who are the potential beneficiaries? What are their respective needs? What is the current state of practice? What is the status of current research? What are the research gaps? What challenges must be addressed? What resources are needed? How do we test & evaluate solutions? What are the measures of success?
Summary Learn about the agencies, their missions, and meet the Program Managers Build your team to deliver – consider including contracting personnel Understand the opportunities – SBIR, STTR, BAA, CNCI R&D, RFP (not discussed in this presentation)
Douglas Maughan, Ph.D. Division Director Cyber Security Division Homeland Security Advanced Research Projects Agency (HSARPA) email@example.com 202-254-6145 / 202-360-3170 For more information, visit http://www.cyber.st.dhs.gov