1 / 52

Douglas Maughan

Douglas Maughan. Division Director, Cyber Security Division Homeland Security Advanced Research Projects Agency (HSARPA) Department of Homeland Security (DHS) Science and Technology (S&T). Obtaining Federal Research Funding. Understanding the Landscape Contracting Small Business Programs

dyan
Download Presentation

Douglas Maughan

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Douglas Maughan Division Director, Cyber Security Division Homeland Security Advanced Research Projects Agency (HSARPA) Department of Homeland Security (DHS) Science and Technology (S&T)

  2. Obtaining Federal Research Funding • Understanding the Landscape • Contracting • Small Business Programs • Larger R&D Solicitations • Summary / Q&A

  3. Federal Cyber Research Community

  4. Increasing your success rate getting Federal R&D support • Understand your client • Federal agencies have distinctly different characters • Different missions • Different processes • Federal agencies are not charities • Money is appropriated to them for specific purposes • You will be more successful if you can explain why your proposed R&D supports their mission

  5. Planning Solicitation Contract Execution Federal R&D Process • Identify requirements • Develop program plan and allocate resources • Communicate plans and priorities to technical community • Posting Solicitations • Solicitation Process – White Papers • Submitting proposals • Different programs demand different contract vehicles • Flexibility used to match mission • Programs tailored to meet unique conditions of objectives • Active interaction with performers

  6. Federal R&D Programs • A program is led by a Program Manager(PM) • A program will have: • Specific Technology Objectives aligned with customer needs which, if achieved, will have a significant operational impact • Plan to move from current level of technical maturity to a higher level (e.g., For DOD it’s TRLs – Technology Readiness Levels) • A technical approach indicating how the objectives will be achieved • A program structure indicating how the PM has deployed resources (time, money, executors) to achieve the objectives • Deliverables • Transition Strategy/Technology Development Path

  7. Relationship with the Program Manager • PM wants to leverage existing technology, others’ R&D investment and market pull • PM wants the intellectual property strategy aligned with transition plan, but will (usually) negotiate • PM’s job is to manage technical and programmatic risk and WANTS YOU TO SUCCEED • The PM is a resource for you in accomplishing the R&D and in transitioning to the (government) customer

  8. Mechanics of Proposing R&D • Find agencies with closest mission match • Identify R&D element(s) within the agencies • Look for existing R&D solicitations (Money already exists for these efforts!) • Do your homework (LOOK AT PREVIOUS SOLICITATIONS, read website, workshop results, and any presentations on your target program solicitation) • Respond to solicitation carefully – meet all administrative requirements and make sure your R&D matches the stated program needs • If no solicitation, contact R&D PM. Explain relevance to his/her mission. Be patient. Be persistent.

  9. Contracting Vehicles • The Government has a range of contracting vehicles to match programmatic needs and contractor character. • Grants • Contracts • Cooperative agreements • Other Transactions for Research or Prototypes • Allows government to deal with non-traditional contractors who have desirable technologies, but do not want to keep “Government books” • Must comply with “generally acceptable accounting principles”

  10. R&D Proposals • Team approach (technical & business) • Consider hiring government contracting specialist • Cost realism • Cost or Price Analysis • Contract Types for R&D

  11. Cost or Price Analysis • Level of Complexity Will Vary • Contract Type • Dollar Value • The Basis of Your Proposal Costs • Be Prepared to Provide Backup Data • Indirect Rate Structure • Fee/Profit

  12. Business Capabilities • Financial Audit • Proposal Costs • Accounting System • Estimating System • Financial Capabilities • Past Performance • NOTE: If you’ve never had a government contract, consider talking with DCAA sooner rather than later.DCAA = Defense Contract Audit Agency

  13. The Normal Contract • Terms • Read & Understand Your Contract • Contract Line Items/Deliverables • Contract Clauses • Performance • Proposal - What did you say you would do? • Deliverables - Due Dates • Acceptance - How Accomplished • Payment • Invoicing Procedures and Certification • Prompt Payment Act • Limitation of Funds/Limitation of Cost

  14. Helpful Contracting Websites • http://www.dcaa.mil/dcaap7641.90.pdf • http://www.sba.gov/services/contractingopportunities • http://farsite.hill.af.mil • http://acquisition.gov/far/index.html

  15. Programs for U. S. Small Business • Small Business Innovation Research (SBIR) • Set-aside program for small business concerns to engage in federal R&D -- with potential for commercialization • Small Business Technology Transfer (STTR) • Set-aside program to facilitate cooperative R&D between small business concerns and research institutions -- with potential for commercialization 2.5% .3%

  16. PHASE I • Feasibility Study • $100K (in general) and 6 month effort • PHASE II • Full Research/R&D • $750K and 24 month effort • Commercialization plan required • PHASE III • Commercialization Stage • Use of non-SBIR Funds SBIR - A 3 Phase Program

  17. Which Government Agencies? • Both SBIR/STTR • Defense • Health & Human Services • NASA • DOE • NSF • DHS • SBIR only • DOA • DOC • ED • EPA • DOT • NIH

  18. Agency SBIR Differences • Number and timing of solicitations • R&D Topic Areas – Broad vs. Focused • Dollar Amount of Award (Phase I and II) • Proposal preparation instructions • Financial details (e.g., Indirect Cost Rates) • Proposal review process • Proposal success rates • Types of award • Commercialization assistance • And more…………

  19. Agency DifferencesALWAYS CHECK WITH AGENCIES

  20. SBIR Program: Small Business Concern Eligibility • Organized for-profit • place of business located in the U.S., • operates primarily within the U.S., • or which makes significant contribution to the U.S. economy through payment of taxes or use of American products, materials or labor • Is in the legal form of an individual proprietorship, partnership, limited liability company, corporation, joint venture, association, trust or cooperative • where the form is a joint venture, there can be no more than 49% participation by business entities in the joint venture

  21. SBIR Program: Small Business Concern Eligibility (Continued) • Fewer than 500 employees, including affiliates • Principal Investigator’s (PI) primary employment must be with the small business concern at the time of award and for the duration of the project period • Significant amount of PIs time will be devoted to the SBIR effort

  22. Performance of R&D Activities • “All research/R&D must be performed in its entirety in the U.S.” • Rare cases to conduct testing of specific patient populations outside U.S. is allowable • Travel to scientific meeting in foreign country is allowable • Foreign consultants/collaborators allowable, but must perform consulting in U.S.

  23. Intellectual Property, Data Rights and the SBIR Program • As with all contracts, pursuant to the Bayh-Dole Act, an SBIR contractor can elect title to inventions discovered under the SBIR contract (FAR 52.227-11) • The Small Business Act (15 U.S.C. 631(j)(2)(A)) provides for retention by an SBIR awardee of the rights to data generated by the concern in the performance of an SBIR award • protection of SBIR data is intended to provide incentive for further development or commercialization of technology by the SBIR awardee • If you don’t understand the IPR issues, get help!!

  24. Intellectual Property, Data Rights and the SBIR Program-2 • The SBIR Program is an instance in which government funds are to be used to create data protected from disclosure, and therefore, has its own rights in data clause (FAR 52.227-20) • As a result, the government must protect from disclosure and non-governmental use “SBIR data”, technical data, and computer software first produced under a SBIR funding agreement and properly marked • The period of protection under the FAR is four years from delivery of the last deliverable under that agreement (either Phase I, Phase II, or a Federally-funded SBIR Phase III) • Protections against disclosure of data from one phase may extend to four years after subsequent SBIR awards if properly recognized in subsequent awards

  25. DHS S&T SBIR Evaluation Criteria • The soundness, technical merit, and innovation of the proposed approach and its progress toward topic solution • The qualifications of the proposed principal investigators, supporting staff, and consultants • Qualifications include not only the ability to perform the research and development but also the ability to commercialize the results • The potential for commercial (government or private sector) application and the benefits expected to accrue from this commercialization

  26. Proposal Submissions by Size of Company (FY04.2 – FY10.2 data) Number of Employees

  27. WA 51/12 NH 25/6 ME 11/0 MT 9/2 VT10/1 ND 1/0 OR 22/5 MN 41/7 ID 8/0 WI 13/2 NY 101/28 SD 2/0 MI 70/9 RI 7/1 WY 2/0 CT 47/8 IA 4/0 NE 7/1 PA 63/8 NV 17/1 OH 49/1 NJ 69/6 IN 35/3 IL 49/6 UT 28/7 CO 68/10 WV 10/1 DE 9/0 CA 535/104 VA 239/35 KS 6/1 MO 19/2 MD 169/23 KY 10/1 DC 6/0 NC 32/5 TN 19/1 OK 10/3 AZ 46/10 AR 3/0 SC 8/1 NM 42/7 GA 39/3 AL 48/7 MS 5/0 TX 140/23 LA 19/2 AK 3/1 FL 93/11 PR 3/0 Total Phase I Submissions/Awards2,608/423 HI 17/3 DHS SBIR Phase IData from 14 Competitions through FY10.2* MA 269/55 * Includes STTR data

  28. Small Business Innovative Research (SBIR) • Since 2004, DHS S&T Cyber Security Program has had: • 47 Phase I efforts • 22 Phase II efforts • 5efforts currently in progress • 8 commercial products available • Three acquisitions • Komoku, Inc. (MD) acquired by Microsoft in March 2008 • Endeavor Systems (VA) acquired by McAfee in January 2009 • Solidcore (CA) acquired by McAfee in June 2009

  29. Added Bonus - Cost Match • Allows small businesses to seek additional funding for Phase II projects from non-SBIR sources • Minimum of $100,000 to maximum of $500,000 of outside funding • Matched by DHS SBIR up to $250,000 in a 1:2 ratio • Additional funds require additional scope – need to either add R&D on SBIR contract or other development and commercialization activities (or some of both) • Cost match is a motivator for, and an indicator of, commercial potential

  30. The DoD IA Research Community NSA ONR AFRL ARL National IANRL AFOSR ARO Research Lab Industry Academia DARPA SBIRs are funded by DDR&E, DARPA, the Services and Agencies

  31. DDR&E Small Business Innovative Research (SBIR) Program • Cyber Security awards since 2007 - present • 123 Phase I awards • 39 Phase II awards • Roughly $11 M per year DDR&E awards • Annual SBIR Workshop • Last on was 20-22 July 2010; Next one is 12-14 July 2011 in WDC • Links government, SBIR researchers, prime contractors • 150 participants Includes SBIR & STTR

  32. DOD DDR&E SBIR topics • OSD10-IA1 Countermeasures to Malicious Hardware to Improve Software Protection Systems • OSD10-IA2 Effective Portable Data Content Inspection and Sanitization • OSD10-IA3 Robust and Effective Anti-Phishing Techniques • OSD10-IA4 Preventing Sensitive Information and Malicious Traffic from Leaving Computers • OSD10-IA5 Biometric-based Computer Authentication during Mission-Oriented Protective Posture Scenarios

  33. Useful Web Sites andDHS S&T Directorate SBIR Point of Contact • Useful Web Sites • https://sbir.dhs.gov • www.baa.st.dhs.gov • www.dhs.gov • www.dhs.gov/xopnbiz/ • www.fedbizopps.gov • www.sbir.gov • Elissa (Lisa) Sobolewski • DHS SBIR Program Director • elissa.sobolewski@dhs.gov • (202) 254-6768 • S&T SBIR Program Email: • STSBIR.PROGRAM@dhs.gov

  34. Broad Agency Announcements (BAAs) • http://baa.st.dhs.gov • R&D funding model that delivers both near-term and medium-term solutions: • To develop new and enhanced technologies for the detection of, prevention of, and response to cyber attacks on the nation’s critical information infrastructure. • To perform research and development (R&D) aimed at improving the security of existing deployed technologies and to ensure the security of new emerging systems; • To facilitate the transfer of these technologies into the national infrastructure as a matter of urgency.

  35. Past Solicitations • http://baa.st.dhs.gov • Left hand side – Past Solicitations • Look for BAA 07-09 and BAA 04-17 • Review BAA, any modifications or amendments, presentations, etc.

  36. BAA Program / Proposal Structure • Type I (New Technologies) • New technologies with an applied research phase, a development phase, and a deployment phase (optional) • Funding not to exceed 36 months (including deployment phase) • Type II (Prototype Technologies) • More mature prototype technologies with a development phase and a deployment phase (optional) • Funding not to exceed 24 months (including deployment phase) • Type III (Mature Technologies) • Mature technology with a deployment phase only. • Funding not to exceed 12 months

  37. BAA 07-09 Technical Topic Areas • Botnets and Other Malware: Detection and Mitigation • Composable and Scalable Secure Systems • Cyber Security Metrics • Network Data Visualization for Information Assurance • Internet Tomography / Topography • Routing Security Management Tool • Process Control System Security • Secure and Reliable Wireless Communication for Control Systems • Real-Time Security Event Assessment and Mitigation • Data Anonymization Tools and Techniques • Insider Threat Detection and Mitigation

  38. BAA 07-09 White Papers Registrations Received Submissions Received

  39. BAA 07-09 Full Proposal Statistics AWARD SUMMARY Type I – 6 Type II – 9 Type III – 2 LEADS Academic – 6 Industry – 10 Labs – 1 80 offerors were encouraged to submit Full Proposals based on the White Paper reviews; 63 of those offerors submitted Full Proposals.

  40. 12 CNCI Projects Establish a front line of defense Reduce the Number of Trusted Internet Connections Deploy Passive Sensors Across Federal Systems Pursue Deployment of Automated Defense Systems Coordinate and Redirect R&D Efforts Resolve to secure cyberspace / set conditions for long-term success Develop Gov’t-wide Counterintelligence Plan for Cyber Increase Security of the Classified Networks Expand Education Connect Current Centers to Enhance Situational Awareness Shape future environment / secure U.S. advantage / address new threats Define and Develop Enduring Leap Ahead Technologies, Strategies & Programs Define and Develop Enduring Deterrence Strategies & Programs Manage Global Supply Chain Risk Cyber Security in Critical Infrastructure Domains CNCI = Comprehensive National Cyber Initiative 41

  41. National Cyber Leap Year (NCLY) • RFI – 1: Generic, wide-open • Received over 160 responses; created 9 research areas • Attribution, Cyber Economics, Disaster Recovery, Network Ecology, Policy-based Configuration, Randomization/Moving Target, Secure Data, Software Assurance, Virtualization • RFI – 2: Same as RFI-1, but providing IP protection • Received over 30 responses • RFI – 3: Requested submissions only in 9 research areas above • Received over 40 responses • National Cyber Leap Year (NCLY) Summit • August 17-19, 2009 • Results posted on http://www.nitrd.gov

  42. NCLY Summit Topics • Cyber economics • Digital provenance • Hardware enabled trust • Moving target defense • Nature inspired cyber defense • Expectation: Agencies will include these topics in future solicitations

  43. Cyber Economics • Enable trusted repositories of data and metrics to allow economic analysis • Theories, models, and scientific understanding of cyber economics • Environment for training users and allowing controls of personal data • Tools to empower service providers in the defense of their infrastructure

  44. Digital Provenance • Develop new mechanisms for digital provenance definitions and management • Create technologies allowing stable and trustworthy entity identity • Advance data security techniques for provenance of data from creation to destruction

  45. Hardware Enabled Trust • Create new resilient (diversity, redundancy, recovery) hardware • Hardware defenses for hardware attacks • Develop new trustworthy data storage architectures and technologies

  46. Moving Target Defense • Technologies allowing a shift from reactive security postures to active preemptive postures • Create and develop manageable moving target mechanisms that create disruption for the adversaries, but not for the legitimate users • Techniques to analyze the effectiveness of MT mechanisms against various attacks and disruptions • Solutions that increase the ability to observe, shape, and expose the actions of adversaries as they attempt to evade and break MT mechanisms

  47. Nature Inspired Cyber Defense • Improve current distributed network defenses to react more quickly • Create technologies that provide evolving system immunity to attacks • Establish a Cyber-CDC (global cyber information sharing) • Analyze legal aspects associated with active cyber defense

  48. A Roadmap for Cybersecurity Research • http://www.cyber.st.dhs.gov • Scalable Trustworthy Systems • Enterprise Level Metrics • System Evaluation Lifecycle • Combatting Insider Threats • Combatting Malware and Botnets • Global-Scale Identity Management • Survivability of Time-Critical Systems • Situational Understanding and Attack Attribution • Information Provenance • Privacy-Aware Security • Usable Security

  49. Roadmap Content • What is the problem being addressed? • What are the potential threats? • Who are the potential beneficiaries? What are their respective needs? • What is the current state of practice? • What is the status of current research? • What are the research gaps? • What challenges must be addressed? • What resources are needed? • How do we test & evaluate solutions? • What are the measures of success?

More Related