TECHNOLOGY AREA(S): Information Systems

ACQUISITION PROGRAM: PMA-205 Naval Aviation Training Systems

The technology within this topic is restricted under the International Traffic in Arms Regulation (ITAR), 22 CFR Parts 120-130, which controls the export and import of defense-related material and services, including export of sensitive technical data, or the Export Administration Regulation (EAR), 15 CFR Parts 730-774, which controls dual use items. Offerors must disclose any proposed use of foreign nationals (FNs), their country(ies) of origin, the type of visa or work permit possessed, and the statement of work (SOW) tasks intended for accomplishment by the FN(s) in accordance with section 3.5 of the Announcement. Offerors are advised foreign nationals proposed to perform on this topic may be restricted due to the technical data under US Export Control Laws.

OBJECTIVE: Design and develop a cross-domain solution (CDS) technology that allows a centrally located system administrator to disseminate network configuration information to multiple associated networks.

DESCRIPTION: One of the core security features of distinct information networks is that they are separate from other computer networks. This is primarily implemented to ensure that if one is compromised, the other remains unaffected as access to the network is limited and restricted by an administrator.

Although the cyber security benefits of individual networks are clear, there is a desire for a secure CDS to allow a central system administrator to manage multiple networks. Cross-domain solutions provide the ability to transfer information between two domains with different security levels that are isolated from each other.� Currently, each network administrator must set up separate instances for their own respective domains, which poses software-related concurrency challenges. The desired solution is envisioned as a standalone solution, or a technology that can be added to an existing cross-domain solution for network communication between trusted and untrusted networks. Key factors in an envisioned solution include the scalability of the architecture (e.g., number of networks, components) and the supportability of the device (i.e., being able to change the rulesets when new versions of host-based security system (HBSS) or a domain controller are released). Having the ability to manage all domains with a single cyber security solution (through a specialized guard) would significantly lessen both the initial acquisition and sustainment costs of any procurement that had the requirement for multiple classification levels. Proposers should consider and adhere to Risk Management Framework (RMF) guidelines [Ref 3].

Work produced in Phase II may become classified. Note: The prospective contractor(s) must be U.S. Owned and Operated with no Foreign Influence as defined by DOD 5220.22-M, National Industrial Security Program Operating Manual, unless acceptable mitigating procedures can and have been implemented and approved by the Defense Security Service (DSS). The selected contractor and/or subcontractor must be able to acquire and maintain a secret level facility and Personnel Security Clearances, in order to perform on advanced phases of this contract as set forth by DSS and NAVAIR in order to gain access to classified information pertaining to the national defense of the United States and its allies; this will be an inherent requirement. The selected company will be required to safeguard classified material IAW DoD 5220.22-M during the advance phases of this contract.

PHASE I: Design, develop, and demonstrate the feasibility of a proof-of-concept cross-domain solution and network communication between trusted and untrusted networks. Identify Information Assurance (IA) challenges or CDS policy that impact prototype development. Consider RMF guidelines in initial design to support information assurance compliance throughout the effort. Develop plans for the prototype to be developed in Phase II.

PHASE II: Design and develop a prototype technology solution and implement it in a laboratory test environment. Demonstrate that relevant IA policies and safety concerns are addressed while enabling enhanced information flow. Continue to consider and adhere to RMF guidelines during the development to support information assurance compliance.

It is probable that the work under this effort will be classified under Phase II (see Description section for details).

PHASE III DUAL USE APPLICATIONS: Complete development of CDS based on Phases I and II efforts, targeting the representative domain and networks. Demonstrate and evaluate the utility of CDS within a targeted transition environment. Transition and deliver a fully-featured CDS to the Navy.

Any company that wishes to segregate its network for security or any other reason could make use of this application. Whether protecting Health Insurance Portability and Accountability Act (HIPAA) information or trade secrets, the ability to seamlessly manage multiple networks would be useful to any number of private sector companies (e.g., medical insurance, hospital/medical groups, industry associated with government contracting, pharmaceuticals, information technology, law firms) that wish to practice good cyber security on a budget.

REFERENCES:

1. Liguori, A., Benedetto, F., Giunta, G., Kopal, N., and Wacker, A. �SoftGap: A Multi Independent Levels of Security Cross-Domain Solution�. 2015 3rd International Conference on Future Internet of Things and Cloud, August 2015, pp. 754-759. https://www.computer.org/web/search?cs_search_action=advancedsearch&search-options=dl&searchOperation=exact&searchText=SoftGap%3A+A+Multi+Independent+Levels+of+Security+Cross-Domain+Solution

2. Ollett, A., Robertson, S., Baker, D., Lafon, F., Giesbertz, B., Liu, M., Fernando, N., and Parkinson, A. �Reducing the footprint of deployed information systems with Cross Domain Solutions�. Journal of Battlefield Technology, 2013, 16(1), 1. http://www.argospress.com/articles/2013/reducing-the-footprint-of-deployed-information-systems-with-cross-domain-solutions

3. Risk Management Framework (RMF) for DoD Information Technology (IT)F: http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001_2014.pdf

KEYWORDS: Cyber Security; Cross-domain Solution (CDS); Controlled Interface (CI); Guard, Ruleset; Live-Virtual-Constructive (LVC); Multi-level Security