Machine Learning, Tactical Cross-Domain Solution, Cryptography Module

Navy SBIR 21.2 - Topic N212-110
NAVAIR - Naval Air Systems Command
Opens: May 19, 2021 - Closes: June 17, 2021 (12:00pm edt)

N212-110 TITLE: Machine Learning, Tactical Cross-Domain Solution, Cryptography Module

RT&L FOCUS AREA(S): Artificial Intelligence (AI)/Machine Learning (ML);Cybersecurity;Networked C3

TECHNOLOGY AREA(S): Information Systems

The technology within this topic is restricted under the International Traffic in Arms Regulation (ITAR), 22 CFR Parts 120-130, which controls the export and import of defense-related material and services, including export of sensitive technical data, or the Export Administration Regulation (EAR), 15 CFR Parts 730-774, which controls dual use items. Offerors must disclose any proposed use of foreign nationals (FNs), their country(ies) of origin, the type of visa or work permit possessed, and the statement of work (SOW) tasks intended for accomplishment by the FN(s) in accordance with section 3.5 of the Announcement. Offerors are advised foreign nationals proposed to perform on this topic may be restricted due to the technical data under US Export Control Laws.

OBJECTIVE: Design and develop a Tactical Cross Domain Solution (CDS) Cryptography Module for a Manned-Unmanned Teaming (MUM-T) that will achieve certification per the National Security Agency (NSA) Cross Domain Enterprise Service (CDES)/National Cross Domain Strategy Management Office (NCDSMO) and achieve Authority to Operate (ATO).

DESCRIPTION: Currently, MUM-Ts employ encryption/decryption on their communications links, usually through dedicated box-level components referred to as Encryption Control Units (ECUs). The use of ECUs in unmanned aerial vehicles (UAVs) must be certified by the NSA as "Type 1". The 10 OCT 2018 Department of Defense CIO memo, "Suspension of New Point-to-Point Cross Domain Solutions and Changes to Existing Point-to-Point Cross Domain Solutions Implementations," directed that development of new point-to-point CDS solutions be halted in favor of "enterprise" CDS solutions managed and monitored by the National Cross Domain Strategy and Management Office (NCDSMO). In addition, NSA released the Cross Domain Solution Design and Implementation Requirements: 2019 Raise the Bar Baseline Release (RTB). The RTB policy identifies four foundational concepts for a CDS, which are Redundant, Always Invoked, Independent Implementations, and Non-Bypassable (RAIN).

Using the nomenclature of the NCDSMO, this SBIR topic-requested system would classify as a Tactical-Class Transfer CDS (TCDS) with environmental constraints such as heat, humidity, and vibration, as well as a need to operate in an environment where communications capabilities may be interrupted. Usually these TCDS systems support a limited number of message formats. For this SBIR topic, the TCDS system should be designed to use a modular design capable of supporting a potentially large number of message formats, although any single instantiation would likely support a smaller set of message formats based on MUM-T mission requirements.

The proposed MUM-T CDS cryptography module may be either a multifunctional ECU, or a chassis ECU with multiple crypto functions on computer Printed Circuit Board (PCB) slices, or multiple smaller ECU modules with crypto functions in individual modules electronically connected together or being stand-alone ECUs. The CDS cryptography module must be capable of supporting multiple CDS channels at 100 Mb/s in less than or qual to 0.5 watts and within a threshold 1.5 cubic inches with an objective 0.5 cubic inches and a weight of threshold 0.7 ounces with an objective of less than 0.5 ounces, certified for Top Secret and Below (TSAB) Interoperability environments. The "Raise the Bar" compliant CDS cryptography module key factors in an envisioned NCDSMO certified solution would have minimally:

  1. an intelligent domain security hierarchy control point as an intellectual property (IP) core that is capable of reading, parsing, and intelligently routing to associate security domains, messages, data, images, and/or video. The proposed intelligent domain security hierarchy control point would be able to automate Object Identifier/Globally Unique Identifier (OID/GUID) data tagging that can be used for data analytics and distribution in the DCGS-N Inc. 2 Multi-Domain Federated Query (MDFQ) Architecture; manage and disseminate diverse types and formats of multi-domain messages, data, images, and/or video with different volumes, velocities, variability, and veracity characteristics; and handle changes in formats/fields of existing messages, data, images, and/or video types and feeds from multiple data sources.
  2. a scalable, guard-agnostic, cross-domain discovery service to communicate between different security domains allowing individual messages, images, or data fields within them to be selectively passed, blocked or changed.
  3. reprogrammable or configurable rulesets that allow adaptability in configuring each security domain to automate the "man in the middle" screening of message exchanges, thereby accelerating communications and reducing human error.
  4. pluggable filters, which include functions to filter data based on user programmable rulesets.
  5. machine learning (ML) algorithms to create data-driven content checkers for data leakage prevention (DLP), autonomous screening of message exchanges with no operator required, and also for an adaptive power management solution.
  6. a protocol adapter that uses an agile performance-enhancing proxy (PEP) protocol to be enabled during a disadvantaged network condition.
  7. an operator interface that allows role-based access and administration for configuration of each security domain through a separate management port.
  8. Raise the Bar Compliant filters supporting multiple message formats including images, video, audio, Link 16/JREAP-C, USMTF, FDMP, FTP, and SMTP formats.
  9. modular connectors for a cross-platform solution to enforce domain separation using separate high-and low-data ports.
  10. zero packet loss in disadvantaged networks where communication performance suffers, or is disrupted, or is not feasible due to characteristics of the datalink or subnetwork on the path to transfer information.
  11. a scalable guard-agnostic cross-domain discovery service using a service-oriented architecture (SOA) to autonomously screen message exchanges with no operator required.
  12. machine-to-machine (M2M) algorithm to authenticate all outbound traffic using the high assurance Transport Layer Security (TLS) cryptologic and NSA Key Management Infrastructure (KMI) trusted certificates with no operator required.
  13. anti-tamper protection with device zeroization built-in.
  14. full audit logging of all system, security, and message events.
  15. encrypted storage of rule sets and audit logs.
  16. secure boot and trusted platform verification upon power up.
  17. authenticated, role-based, device administration through management port.

The CDS cryptography module must be able to operate in the following environments:

  • Operational Temperature: -40 C to 70 C
  • Storage Temperature: -51 C to 85 C
  • Operational Altitude: 065,000 ft above sea level
  • Mechanical Shock: 40g, 11 ms, each axis
  • Vibration: Tracked and Wheeled Vehicle, Fixed-and Rotary-Wing Aircraft, Gunfire
  • Fluid Contaminations: Diesel, Hydraulic, Oil, Bleach
  • Relative Humidity: 10-95%
  • EMI/EMC: MIL-STD-461F, RE102, CE102, CS101, CS114, CS115, CS116, RS103
  • Power: MIL-STD-1275E, MIL-STD-704F

Work produced in Phase II may become classified. Note: The prospective contractor(s) must be U.S. owned and operated with no foreign influence as defined by DoD 5220.22-M, National Industrial Security Program Operating Manual, unless acceptable mitigating procedures can and have been implemented and approved by the Defense Counterintelligence and Security Agency (DCSA). The selected contractor must be able to acquire and maintain a secret level facility and Personnel Security Clearances. This will allow contractor personnel to perform on advanced phases of this project as set forth by DCSA and NAVAIR in order to gain access to classified information pertaining to the national defense of the United States and its allies; this will be an inherent requirement. The selected company will be required to safeguard classified material IAW DoD 5220.22-M during the advanced phases of this contract.

PHASE I: Design and demonstrate feasibility of a flyable routing solution scalable to various platform configurations with a CDS addressing multiple security levels. Develop a draft architecture and plan for attaining NSA approval for cryptologic systems. The Phase I effort will include prototype plans to be developed under Phase II.

The Phase I final report must include in the appendices: (a) a plan for NCDSMO certification of the final design which would achieve Common Criteria Evaluation Assurance Level (EAL) greater than four; (b) a Hardware/Software/Firmware Requirements/Design Specifications including use case diagrams (i.e., file drop, API/socket data transfers, database data transfers, video transfers, multiple CDS/file decomposition); and (c) a Design Description containing a full and detailed description of the proposed MUM-T CDS cryptography module design, including detailed system design, a traceability matrix to the software requirements and interfaces which abstracts isolation and security low-level communication details and exchanges.

PHASE II: Further design and develop the solution identified in Phase I into a prototype. In conjunction with the Government, develop simulated data and then use that data to demonstrate the prototype. Develop an unclassified set of controls to handle organic and off-board classified data types provided by the Government. Demonstrate features and function that would be best suited for transition into an operational environment.

Initiate process of attaining NSA approval for designed hardware and software.

Finalize the design, fabricate the design, and test the design developed in Phase I for proof of operation and ability to be certified. Finalize the steps necessary for NCDSMO certification and ATO.

Deliver prototype hardware and software documentation, which should include reports on: NSA Certification; Decryption; Encryption; Authentication; Transmission Security; Algorithms; Cryptographic Status; Cryptographic Alerts; Key Management Infrastructure -Enabled; Re-programmability; Protocols; Interfaces; Over-the-Network-Keying; Over-the-Air-Re-key; Key Storage; Multiple User Access; Key Manager; Crypto Manager, and System Manager.

Work in Phase II may become classified. Please see note in the Description section.

PHASE III DUAL USE APPLICATIONS: Complete development of the cross-domain control measures and perform final testing in a Government-designated simulation environment. After identifying specific data types and classifications of airborne system data, demonstrate a fully capable multilevel security CDS in a live fly event. Continue work with the Government sponsor to gain NSA approval for provided approach and transition to applications across naval airborne platforms.

The control measures and techniques employed may benefit companies seeking to protect proprietary data while working with other organizations. This technology will apply beyond the contractors supporting the DoD. Medical, financial, and civilian electronics industries will benefit from a technology that allows networking with competitors for collaboration while preventing proprietary or personal data from spillage onto an improper domain.

REFERENCES:

  1. Schneier, B. "Applied cryptography 2nd." John Wiley and Sons, Inc. New York, 1996. https://doi.org/10.1002/9781119183471.
  2. Ahmed, Z., Rahmatullah, M. M. and Jamal, H. "Security processor for bulk encryption." Proceedings of the 16th International Conference on Microelectronics (ICM), December 2004, pp. 446-449. https://doi.org/10.1109/ICM.2004.1434610.
  3. Luo, X., Chan, E. W. and Chang, R. K. "CLACK: A network covert channel based on partial acknowledgment encoding." 2009 IEEE International Conference on Communications, June 2009, pp. 1-5. https://doi.org/10.1109/ICC.2009.5198826.
  4. Luo, X., Chan, E. W., Zhou, P., & Chang, R. K. (2012). Robust network covert communications based on TCP and enumerative combinatorics. IEEE Transactions on Dependable and Secure Computing, 9(6), 890-902. https://doi.org/10.1109/TDSC.2012.64.
  5. Diffie, W. and Hellman, M. "New directions in cryptography." IEEE transactions on Information Theory, 22(6), 1976, pp. 644-654. https://doi.org/10.1109/TIT.1976.1055638.
  6. "Information Assurance Capabilities, Data at Rest Capability Package, Version 4.0." National Security Agency/ Central Security Service, January 2018. https://www.nsa.gov/Portals/70/documents/resources/everyone/csfc/capability-packages/dar-cp.pdf.
  7. "Information Assurance Capabilities, Commercial Solutions for Classified, Harnessing the Power of Commercial Industry." National Security Agency/ Central Security Service, September 2018. https://www.nsa.gov/Portals/70/documents/resources/everyone/csfc/csfc-faqs.pdf.
  8. MIL-STD-810H, DEPARTMENT OF DEFENSE TEST METHOD STANDARD: ENVIRONMENTAL ENGINEERING CONSIDERATIONS AND LABORATORY TESTS (31-JAN-2019)." http://everyspec.com/MIL-STD/MIL-STD-0800-0899/MIL-STD-810H_55998/.
  9. "Cross Domain Solution (CDS) Design and Implementation Requirements 2019 Raise the Bar (RTB) Baseline Release Draft Version 2.0 rev12." Doc ID: NCDSMO-R-00008-002_00, National Security Agency/ National Cross Domain Strategy and Management Office, 2 October 2019

KEYWORDS: Multilevel Security; Cross Domain Solution; CDS; Data Sorting; Adaptive; Small Form-factor; Machine Learning

** TOPIC NOTICE **

The Navy Topic above is an "unofficial" copy from the overall DoD 21.2 SBIR BAA. Please see the official DoD Topic website at rt.cto.mil/rtl-small-business-resources/sbir-sttr/ for any updates.

The DoD issued its 21.2 SBIR BAA pre-release on April 21, which opens to receive proposals on May 19, 2021, and closes June 17, 2021 (12:00pm edt).

Direct Contact with Topic Authors: During the pre-release period (April 21 thru May 18, 2021) proposing firms have an opportunity to directly contact the Technical Point of Contact (TPOC) to ask technical questions about the specific BAA topic. Once DoD begins accepting proposals on May 19, 2021 no further direct contact between proposers and topic authors is allowed unless the Topic Author is responding to a question submitted during the Pre-release period.

SITIS Q&A System: After the pre-release period, proposers may submit written questions through SITIS (SBIR/STTR Interactive Topic Information System) at www.dodsbirsttr.mil/topics-app/, login and follow instructions. In SITIS, the questioner and respondent remain anonymous but all questions and answers are posted for general viewing.

Note: Questions should be limited to specific information related to improving the understanding of a particular topics requirements. Proposing firms may not ask for advice or guidance on solution approach and you may not submit additional material to the topic author. If information provided during an exchange with the topic author is deemed necessary for proposal preparation, that information will be made available to all parties through SITIS. After the pre-release period, questions must be asked through the SITIS on-line system.

Topics Search Engine: Visit the DoD Topic Search Tool at www.dodsbirsttr.mil/topics-app/ to find topics by keyword across all DoD Components participating in this BAA.

Help: If you have general questions about DoD SBIR program, please contact the DoD SBIR Help Desk via email at DoDSBIRSupport@reisystems.com

[ Return ]