DARPA National Cyber Range

Broad Agency Announcement (BAA)

National Cyber Range

Strategic Technology Office (STO)

DARPA-BAA-08-43

May 5, 2008

TABLE OF CONTENTS

8.3.1.2. Commercial Items (Technical Data and Computer Software) 46

Part One: Overview Information

IMPORTANT NOTE: The Government’s obligation under this announcement and resulting contract award is contingent upon the availability of FY09 funds which as of the date of publication of this BAA have NOT been Authorized or Appropriated by the U. S. Congress. In order to expedite the progress of providing this capability, DARPA has published the BAA in FY08 with the expectation that award will be made promptly if FY09 resources are approved and available.

Federal Agency Name – Defense Advanced Research Projects Agency (DARPA), Strategic Technology Office
Funding Opportunity Title – National Cyber Range (NCR)
Announcement Type – Initial Announcement
Funding Opportunity Number – Broad Agency Announcement (DARPA-BAA-08-43)
Catalog of Federal Domestic Assistance Numbers (CFDA) – Not applicable.
Dates
Proposers’ Day: May 13-14, 2008
Proposal Due Date: June 30, 2008
BAA Closing Date: May 4, 2009

Concise description of the funding opportunity: Funding for the research and development of the National Cyber Range program.
Anticipated individual awards – Multiple awards are anticipated.
Types of instruments that may be awarded – Procurement contract and other transactions for prototypes (OT).
Agency contact – The BAA Coordinator for this effort can be reached at;

Unclassified fax (703)-807-1762, electronic mail: baa08-43@darpa.mil.
Classified fax (703)-526-4749/50, (SIPRNet) baa08-43@darpa.smil.mil

DARPA/STO
ATTN: BAA08-43
3701 North Fairfax Drive
Arlington, VA 22203-1714

Program Website: http://www.darpa.mil/sto/solicitations/BAA08-43/index.html
Proposers’ Day: http://www.darpa.mil/sto/solicitations/BAA08-43/index.html
Teaming Website: https://www.davincinetbook.com/teams

Part Two: Full Text of Announcement

1.Funding Opportunity Description

IMPORTANT NOTE: The Government’s obligation under this announcement and resulting contract award is contingent upon the availability of FY09 funds which as of the date of publication of this BAA have NOT been Authorized or Appropriated by the U. S. Congress. In order to expedite the progress of providing this capability, DARPA has published the BAA in FY08 with the expectation that award will be made promptly if FY09 resources are approved and available.

DARPA is soliciting innovative research proposals for the engineering and development of the National Cyber Range. Proposed research should investigate innovative approaches that enable revolutionary advances in science, devices, or systems. Specifically excluded is research that primarily results in evolutionary improvements to the existing state of practice.

The program solicitation consists of this unclassified BAA, the Classified Addendum to DARPA-BAA-08-43, and a Security Classification Guide (DARPA-CG-502). Contact the DARPA Program BAA Coordinator to receive the Classified Addendum and/or Security Classification Guide (see Sec 6.1.).

Proposals must address the requirements of this unclassified BAA, the Classified Addendum, and Security Classification Guide to qualify for review and consideration for selection.

Classified participation is restricted to U.S. firms only. Foreign participants and/or individuals may participate to the extent that such participants comply with any necessary Non-Disclosure Agreements, Security Regulations, Export Control Laws, and other governing statutes applicable under the circumstances.

This solicitation is for Phase I of the National Cyber Range Program only. The government will solidify the requirements for follow-on phases after the Phase I Kick-Off meeting.

1.1. Goal
The goal of the National Cyber Range (NCR) is to enable a revolution in the Nation’s ability to conduct cyber operations by providing a persistent cyber range that will:
Conduct unbiased, quantitative and qualitative assessment of information assurance and survivability tools in a representative network environment.
Replicate complex, large-scale, heterogeneous networks and users in current and future Department of Defense (DoD) weapon systems and operations.
Enable multiple, independent, simultaneous experiments on the same infrastructure.
Enable realistic testing of Internet/Global Information Grid (GIG) scale research.
Develop and deploy revolutionary cyber testing capabilities.
Enable the use of the scientific method for rigorous cyber testing.
The NCR will provide an environment for realistic, qualitative and quantitative assessment of potentially revolutionary cyber research and development technologies. The range must be capable of testing a variety of technology thrusts, potentially including but not limited to:
Host security systems that may modify or replace operating systems and kernels and other key workstation/endpoint components as well as wholesale replacement of information technologies.
Local area network (LAN) security tools and suites that may require modifying or replacing traditional network device operating systems, devices and architectures.
Wide-area-network (WAN) systems that must operate on bandwidths not commercially available today, and may require modifying or replacing traditional network device operating systems, devices and architectures.
Tactical networks that may include mobile ad hoc networks, maritime systems, etc.
New protocols that may replace portions or the entirety of today’s protocol stacks.

1.2. Program Vision
The NCR will become a National resource for testing unclassified and classified cyber programs. Government and Government-sponsored Test Organizations (TO) authorized to conduct cyber testing will coordinate with the NCR performer for range time and resources. DARPA will be the final authority on all matters and conflicts. The NCR will allocate resources for a specific test, thus establishing a temporary, logical testbed. The TO will assign a Test Director (TD) who is responsible for test design, configuration, analysis, and security issues on their particular testbed. The NCR performer will provide on-site support and sophisticated offensive and defensive adversaries if needed. The NCR performer will provide observer/controllers who will work with the TD to evaluate cyber technologies. The NCR will support multiple, simultaneous, segmented tests and testbeds. At the completion of the test the NCR will sanitize and de-allocate the testbed resources, thus absorbing them back into the range.

To achieve these goals the NCR will provide, as a minimum, the following objectives:
All necessary resources including but not limited to test facilities, utilities (power, water, etc), physical security, and heating, ventilation and air conditioning (HVAC).
All personnel necessary to design, operate, and maintain range, to include but not limited to management, administration, system administration and engineering personnel.
All necessary administration to include necessary certification/accreditation, Concept of Operation (CONOP) development, security management, test scheduling, and processes.
The ability to replicate large-scale military and government network enclaves.
The ability to replicate commercial and tactical wireless and control systems.
The ability to connect to distributed, custom facilities and/or capabilities as necessary to incorporate specialized capabilities, effects, or infrastructures.
Interactive test suites to design, configure, monitor, analyze, and release tests.
A robust range management suite.
A large pool of heterogeneous systems (nodes) as well as the ability to rapidly integrate new nodes.
The ability to rapidly generate and integrate replications of new machines.
The ability to integrate new research protocols.
A test toolkit/repository for reuse of recipes and architectures.
Forensic quality data collection, analysis, and presentation.
Realistically replicate human behavior and frailties.
Realistic, sophisticated, nation-state quality offensive and defensive opposition forces.
Dedicated on-site, support for installation, troubleshooting, and testing.
The ability to accelerate and decelerate relative test time.
The ability to encapsulate and isolate tests, data storage, and networks.
A knowledge management repository for test case samples and past experiences that can be used for future endeavors.
A malware repository.

1.3. Program Plan
The NCR program will be conducted in four phases. This solicitation is for Phase I only. The government will solidify the requirements for follow-on phases after the Phase I Kick-Off meeting.

In response to this solicitation, proposers may develop a Phase I submission (see Sec 6.) that includes an Initial Conceptual Design (ICD) for the NCR. The proposer should describe key attributes of their ICD that reflect the government’s vision for an operational NCR however this initial design does not require rigorous engineering detail and may evolve throughout the NCR program phases.

Provided that FY09 funds are authorized and appropriated for this program, DARPA would then expect to award multiple, competing performer teams for simultaneous execution of Phase I. During Phase I performers will refine the ICD and submit as deliverables Concepts of Operation (CONOPS), Detailed Engineering Plans and System Demonstration Plans including functional performance specifications and system metrics to Preliminary Design Review (PDR) quality as well as a Phase II proposal (technical plus cost) that must include how the range will be operated to meet the demands of the classified and unclassified users.

Contingent on authorization and appropriation of program funding, DARPA may then award multiple, competing performers for Phase II based on the technical merits of the work performed, an assessment of the ability of each contractor team to successfully achieve program goals by program end, and overall program budget constraints. Phase II would be a Critical Design Review (CDR) phase, whereby performers would update and complete their NCR designs and develop a prototype range to demonstration Phase II objectives and current capabilities. The Phase II range is expected to be significantly smaller than the final NCR for affordability reasons, but it must be sufficiently large enough to provide a meaningful demonstration and CDR. At the end of Phase II a CDR evaluation of the NCR prototype, as well as a number of test scenarios, would be conducted. An additional deliverable for Phase II is a proposal for Phase III, with an option for Phase IV.

Based on the progress and technical maturity achieved during Phase II, DARPA may select a single performer for Phase III. Phase III would result in full-scale NCR development. Phase III would end with full-scale evaluation of the NCR and operational testing of cyber research programs. If the performer achieved the Phase III Go/No-Go criteria the NCR will be declared Fully Mission Capable (FMC).

Upon declaration of FMC DARPA may select the performer to enter Phase IV and conduct tests of national cyber programs under DARPA or transition to another government agency.

1.4. Teaming
Due to the complexity of the technical challenges of this program, DARPA seeks the strongest teams possible to ensure a superior NCR. Proposers may elect to team with one another and proposers may participate on multiple teams. However, DARPA will only accept one proposal per prime contractor or other team lead. Each team must be working toward a common objective and have a unified management structure with a single, designated point of contact authorized to communicate on behalf of all team members with DARPA.

The National Cyber Range must be designed so that it can operate from unclassified to Top Secret/Special Compartmentalized Information/Special Access Program classification (TS/SCI/SAP). Performers must consider this when determining teaming (see Sec 2.3.9, 5.1, 5.1.2, and 6.1).

1.5. Funding and Period of Performance
DARPA has not established a funding objective for Phase I; however DARPA expects a period of performance for Phase I to not exceed 6 months, with a further 2 months for Final Report preparation. Due to the challenging suite of technologies that must be matured to support the NCR vision as well as the expected variability in performer’s approaches, DARPA has not established a funding objective or a period of performance for Phases II-IV. Rather, performer will be asked to propose a baseline program that meets the minimum Phase II-IV objectives. The government intends to make an award decision based on best value.

2. Statement of Objectives

This section outlines the government’s objectives for the NCR Program.

Performers are required to propose a complete, integrated system. DARPA will not act as the integrator. Collaboration and teaming is strongly encouraged. DARPA will reject proposals that address only some or individual components of the NCR.

Proposers are required to include an Initial Conceptual Design (ICD) for the NCR in their response to this BAA. The proposer should describe key attributes of their ICD design that reflect the government’s vision for an operational NCR. The proposer should provide substantiation that their proposed ICD can meet the Go/No-Go Metrics provided in Section 3 of this BAA; however this initial design does not require rigorous engineering detail and analysis. The primary purpose of developing the ICD is to identify the technology challenges and associated maturation activities required to enable development of the full-scale NCR. It is expected that the NCR attributes will evolve throughout this program based on results of individual technology maturation activities as well as demonstrations. The proposal design is meant to be an initial look that demonstrates the proposers’ understanding of the program objectives, technology challenges, and system integration issues.

2.1. Phase I – Design Objectives
DARPA expects multiple awards for Phase I performers. Phase I performers will have at most six (6) months to develop PDR-level quality for the development and operation of the NCR.

The primary objectives of Phase I are to refine the performer’s NCR ICD resulting in a Detailed Engineering Plan and System Demonstration Plan; and to develop Concepts of Operations (CONOPS).

By the end of Phase I, performers must convince the government that the plans, CONOPS, and Phase II proposal are feasible with acceptable risk; that the plans represent a credible and affordable approach to reduce system risk within the program schedule; and that continuation to Phase II is warranted.

Performers should schedule and budget a 2-month period after the 6-month deliverables, during which time the performer will provide a Phase I Final Report. The purpose of this period is to avoid a program gap.

At the end of Phase I each performer will provide DARPA:

2.1.1. Phase I – Task 1 – Preliminary Design Review
Task 1 is a complete, integrated Detailed Engineering and a System Demonstration Plan. The purpose of the engineering plan is to demonstrate to DARPA that the integrated, complete plan meets DARPA’s needs as specified in this BAA, the Classified Addendum, and Security Classification Guide (SCG). The detailed engineering plan can be classified.

The Detailed Engineering Plan will refine their ICD that was included in the Phase I proposal based on feedback received at the kickoff meeting. The Detailed Engineering Plan will explain how the performer will meet the Phase III objectives. The Detailed Engineering Plan will include a Critical Path Analysis. Performers may update this design based on results of Phase I risk reduction activities.

The PDR will include evaluation of a Phase II System Demonstration Plan. The System Demonstration Plan should explain how the proposer intends to execute the Phase II CDR Demonstration.

Phase I will culminate with a Preliminary Design Review (PDR) level of the deliverables against the Phase III NCR Objectives (Sec 2.3). The PDR should strike a reasonable balance between the performer’s agile practices utilized in the program and the formality of a more conventional PDR that meets the intent of more rigorous existing or expired standards (e.g. MIL-STD-1521B). DARPA will assess the performers against the Go/No-Go Metrics established in Section 3.3.1.

DARPA will focus on the performer’s refined system design to include: detailed layout of the NCR facility, utilities, personnel spaces, and information system layout and capabilities; risk analysis and mitigation strategies; preferred and fall-back positions for each program objective, software, networking architecture; and functional and performance capabilities of system designs. For software systems the PDR will evaluate the progress, consistency, and technical adequacy of the design and test approach, and compatibility between software requirements, test requirements, and formal engineering design. Performers must address the technology evolution plan to keep the range capabilities current.

2.1.2. Phase I – Task 2 – Concept of Operations (CONOPS)
Task 2 is a comprehensive Concept of Operations for the proposed Phase III NCR, to include as a minimum:

Explanation of capabilities and procedures, including security management and procedures, test process management, test schedule management, resource management and de-confliction, personnel requirements, etc.

On-site facilities, including facility space, processes, clearance procedures, escorting (if required), importing media/devices procedures, connecting to the range, briefing space, etc.

2.1.3. Phase I – Task 3 – Phase II Proposal
Task 3 is a detailed Phase II proposal to build a prototype NCR in accordance with the NCR objectives in Section 2.2. Task 3 will demonstrate the ability to meet all Program Objectives as well as to conduct the CDR and Demonstration.

2.2. Phase II – Prototype Objectives
At the completion of Phase I, one or more Phase I performers may proceed to Phase II and simultaneously build competing prototype NCR ranges, culminating in CDR level review activities for the operation of the NCR.

Performers are required to deliver a demonstration of a prototype NCR. The proposer defines the scale of the Phase II range necessary to meet the Phase II Prototype Objectives and demonstrate current capabilities for the CDR. Detailed engineering diagrams, simulations, etc. may replace physical scaling to large numbers to reduce Phase II costs.

The primary objectives of Phase II are to (1) refine and execute the performer’s engineering plan and demonstration plan and (2) deliver a prototype NCR.

By the end of Phase II, one or more performers must convince the government that the systems components and integrated system perform as stated and to DARPA Go/No-Go metrics; that the plan represents a credible and affordable approach to reduce system risk within the program schedule; and that continuation to Phase III is warranted.

At the end of Phase II, a Critical Design Review (CDR) evaluation of the NCR prototype, as well as a number of test scenarios, will be conducted. The Phase II deliverables include:

2.2.1. Phase II – Task 1 – Demonstration/CDR
Task 1 is to demonstrate capabilities and prototypes proposed as Phase III solutions.

Phase II Prototype Objectives:
Demonstrate and deploy two different host node recipes (see Sec 2.3.1.5).
Demonstrate the creation of new recipes (see Sec 2.3.1.5).
Demonstrate rapid testbed reconstitution (see Sec 2.3.3).
Demonstrate test management (see Sec 2.3.3).
Demonstrate time synchronization and auditing (see Sec 2.3.4.1).
Demonstrate data collection tools (see Sec 2.3.4) to include packet capture, event log collection, malware event collection, and automated attacks.
Demonstrate a traffic generation system (see Sec 2.3.6.3) to include but not limited to hyper text transfer protocol (HTTP) traffic, incoming and outgoing email, automated port scanning, and automated attacks.
Demonstrate basic human replicants (see Sec 2.3.6.4) that drive office software products, browsers, media players, and email clients.
Demonstrate replicated inter-enclave communication channels on a single test (see Sec 2.3.1.6).
Demonstrate aggregating all nodes and executing one large test/testbed (see Sec 2.3.2.4).
Demonstrate dynamically freeing resources from tests and reassigning them to other existing or new tests (see Sec 2.3.1.4).

2.2.2. Phase II – Task 2 – Phase III/IV Proposals
Task 2 is a detailed, complete Phase III proposal to build and deploy the NCR in accordance with the NCR Objectives in Sec 2.3. Task 2 will include an option for execution of Phase IV in accordance with Sec 2.4. Volume I (Technical and Management Proposal) can be classified. Volume II (Cost Proposal) will be unclassified.

Task 2 must demonstrate the ability to meet all testing and Program Objectives, as well as the ability to conduct full-scale testing on the range during Phase III Go/No-Go Evaluations and Phase IV.
Periodic reviews of the prototyping efforts will provide opportunities for the government and the performers to clarify objectives, document design decisions and rationale, review technical risk, and begin building a solid foundation for Phase III.
2.3. Phase III – National Cyber Range Objectives
At the completion of Phase II, assuming funds availability, DARPA anticipates selecting a performer to execute Phase III and build the NCR culminating in the evaluation of the complete NCR and the execution of numerous tests on the delivered NCR infrastructure. Phase III deliverables include:

2.3.1. Phase III – Task 1 – Infrastructure

2.3.1.1. Operational Resources. The performer must provide all necessary resources including but not limited to physical facilities, utilities, HVAC, and security. The performer will include all personnel necessary to design, operate, and maintain the NCR, to include but not limited to system administration and engineering personnel.

2.3.1.2. Administration Resources. The performer will perform all necessary administration to include necessary certification/accreditation, Concept of Operations (CONOP) development, security management, test scheduling, and operation of range processes.

2.3.1.3. Demonstrations. The facility must be capable of demonstrating results of tests to an audience of at least 30 people. For each test there must be, as a minimum, separate rooms with range connectivity for test control teams (Test Director), team(s) being tested, and OpFor (oppositional forces).

2.3.1.4. Node Replication. The performer must provide realistic replicated connections, hardware, and endpoints (firmware, hardware, software, and applications).
The performer must provide physical and logical devices (‘nodes’) to operate the NCR.
The range must be capable of aggregating all nodes for one large testbed.
The range must be capable of dynamically freeing resources from tests and reassigning them to existing or new tests.
The range should fail gracefully in response to range changes, node/link failure, and resource usage.

2.3.1.5. Recipes. The performer must provide a variety node configurations (‘recipes’) for tests.
Provide the ability for Test Directors to create, load, and operate new recipes on the range.
A Test Director must be capable of restricting recipes to specific tests or TDs.
Recipes may include operating systems, applications, device configurations, accounts, settings, security controls, protocols, and data files.

2.3.1.6. Network Technologies and Support. The performer will support current and future network technologies, including, but not limited to, the following:
Provide the ability for Test Directors to initiate various network topologies such as star, bus, hub, point to point, point to multi-point, wireless standards, and mobile ad hoc networks (MANETS).
Support multiple network security postures by providing network technologies including, but not limited to routers, firewalls, intrusion detection/protection systems, virtual LANs (VLANS), and Secure Socket Layer (SSL).
Provide the ability to integrate and test any/all current and future DoD network defensive postures and technologies that will facilitate realistic testing such as demilitarized zones (DMZ), anti-virus, host-based security systems, and Security Technical Implementation Guides (STIGs).
Provide the ability for Test Directors to create, store, modify, and load the above technologies as test recipes.
The Test Director must be able to restrict recipes to specific tests or Test Directors.
Provide for inter-enclave communications channel replication.

2.3.1.7. Protocols and Services. The performer will support current and future protocols and services, including, but not necessarily limited to the following:.
Support routing protocols including, but not limited to RIP, OSPF, and BGP.
Support routed protocols including but not limited to IP, Telnet, SNMP, and SMTP.
Support connection-based and connectionless-based protocols and services.
Support network services and protocols including but not limited to the IEEE 802 groups of protocol specifications.
Provide the ability for Test Directors to define and test new protocols and protocol stacks.
Provide the ability for Test Directors to integrate new devices and architectures into the NCR.

2.3.1.8. Scalability.
The performer must support a wide variety of test scenarios. Performers should support hands-on laboratory tests of single or multiple devices and small network tests to simulate national or global communications systems incorporating several thousand nodes.

2.3.2. Phase III – Task 2 – Range Management
Provide automated pre-test planning support to Test Directors.
Enable automated resource allocation based on test needs and DARPA specified priorities. DARPA will be the final decision authority for any conflicts of range resource prioritization.
Support short term (1 week) to long-term (6 month) research programs.
Provide a means to rapidly and securely de-obligate test resources after tests.
Enable free resources to be pooled and allocated to low priority, non-interactive, batch tests.
Provide a knowledge management suite for lessons learned from within and across tests.
Provide means to incorporate additional technologies into the range.

2.3.3. Phase III – Task 3 – Test Management
Facilitate Test Director drawing from a high-level palette of resources (architectures, hosts, attackers, users, background traffic and usage, data capture packet or host instrumentation, visualization) or creating their own, exposing functionality at the appropriate abstraction level.
Provide automated pre-test planning, test execution, data collection, post test analysis and closeout to support the Test Director.
Provide a knowledge management repository for test case samples and past experiences that can be used for future tests.
Provide an automated means to configure, instrument, initialize, and verify assigned testbed resources.
Provide means to execute, monitor, pause, continue, and stop tests.
Provide means to rapidly reset, modify, and restart tests (reconfigure and reconstitute tests).
Provide range validation with user-defined scripts.
Support both interactive and batch testing paradigms.

2.3.4. Phase III – Task 4 – Transparency
The NCR must provide a means to perform measurement-based quantitative and qualitative assessment of tests.

2.3.4.1. Instrumented. Provide the means to obtain ground truth of what occurred during tests, including:
Enable individuals to collect, analyze and present/visualize test configurations and results.
Provide forensic level data collection, analysis, and presentation across heterogeneous nodes.
Provide a time synchronization mechanism and a mechanism for auditing time synchronization– including synchronizing across networks integrated into the NCR (if necessary).

2.3.4.2. Observer/Controller. Provide qualified, on-site evaluation teams that can:
Provide dedicated, neutral, competent observer/controllers and analysis team if requested by Test Directors. Performer should describe minimal qualifications enforced for team members.
Provide real-time ground truth on tests.
Provide complete situational awareness on all activities.
Report tests results and resource usage metrics to DARPA.

2.3.5. Phase III – Task 5 – Qualified, On-Site Support Team
Provide a sufficient number of highly skilled, experienced network engineers, system administrators, and domain administrators. Performer should describe minimal qualifications required for team members.
Performer must respond promptly to all test needs throughout the test process.
Provide a trouble ticket system to track assistance requests.

2.3.6. Phase III – Task 6 – Human Interaction and Replication
The NCR must be capable of supporting human players (users, management, adversaries, neutral actors, etc). Additionally, for scale, time, and cost the NCR must be capable of providing automated software to drive workstation applications, realistically replicate human individuals, and replicate entire networks.

2.3.6.1. Oppositional Forces (OpFor). The NCR must provide, on demand, a dedicated, sophisticated OpFor to execute and respond to attacks or defenses as required.
Capabilities include sophisticated cyber activity, from defending national assets, to computer network attack.
Provide OpFor with an interface for individuals and teams to replicate cyber adversaries outside an enclave.
Provide secure planning and operations space within the facility to support supplemental OpFor provided by the Test Director.
Establish a malware library of offensive tools for use by DARPA-authorized individuals on the range.
Establish a defensive tools library for use on the range.

2.3.6.2. Team Integration. Provide the means for each TO to integrate their test teams into the range ,if required.
Provide the ability to integrate specific teams into a testbed.
Facilitate human interaction throughout a testbed as users, defenders, system administrators, attackers, etc
Provide the ability to record, restore, and reuse tools when appropriate and approved.

2.3.6.3. Traffic Generators.
Provide easily configurable technologies to emulate entire network activities, generating representative network traffic into, out of, or inside the network under test.

2.3.6.4. Human Actor Replicants and Program Activators (Host-based Traffic Generators). The NCR must replicate realistic human behavior on nodes.
Provide robust technologies to emulate human behavior on all nodes of the range for testing all aspects of range behavior.
Replicants will produce realistic chain of events between many users without explicit scripting behavior.
Replicants must be capable of implementing multiple user roles similar to roles found on operational networks.
Replicant behavior will change as the network environment changes, as the replicated “outside environment” (i.e. DoD DefCon, InfoCon, execution of war plans, etc) changes, and as network activity changes (detected attacks, degradation of services, etc).
Replicants will simulate physical interaction with device peripherals, such as keyboard and mice.
Replicants will drive all common applications on a desktop environments.
Replicants will interact with authenticate systems, including but not limited to DoD authentication systems (common access cards – CAC), identity tokens.

2.3.7. Phase III – Task 7 – Extensibility
The NCR must contain a configurable and easy to use system to integrate research systems as well as other ranges into the NCR. Explain the explicit procedures and interfaces for integrating new technologies and entire ranges.

2.3.7.1. Extend the NCR. The NCR must integrate and/or replicate current and future DoD and adversary networked systems, as well as the intermediary communications medium. Performers should address the ability to integrate, replicate, or simulate at least the following technologies:
Local Area Networks (LANs).
Wide Area Networking (WAN), including backbone routing.
Wireless technologies (such as IEEE 802.11x and HF, VHF, UHF such as SINGARS, TACSAT, JTRS).
Intermediate routing devices (routers, switches, information assurance controls).
Military Command, Control, Communications, and Computers (C4) systems.
US and foreign military communications infrastructure such as satellite (STEP sites), satcom, maritime, tactical, Mobile Ad Hoc Networks (MANETs).
US and foreign military net-centric assets and systems (unmanned aerial vehicles, weapons, radar systems, etc.).
Mobile workers (devices connecting to numerous logical points across the test networks) including non-DoD/government networks (cyber cafes, metropolitan wireless infrastructure) and devices (notebook computers, personal digital assistances/computers).
Physical control systems such as Supervisory Control And Data Acquisition (SCADA).

2.3.7.2. Realistic Node Replication. The NCR must be capable of taking a physical computer and rapidly creating a functionally equivalent, logical instance of that machine that can be replicated repeatedly and injected into a testbed.
Given a never-before-seen physical computing device, create logical instantiations of the physical native machine that accurately replicates, not only the software on the machine, but hardware to the interrupt level, chipset, and peripheral cards and devices.

2.3.8. Phase III – Task 8 – Time Dilation/Contraction
Develop technologies to accelerate or decelerate test time (relative to reality); to enable new capabilities (for example, to create bandwidths that are not commercially available today) or decrease the test time required to perform batch/non-interactive tests.
Create controlled modification of the test clock in the context of the testers’ frame of reference.

2.3.9. Phase III – Task 9 – Encapsulation
The NCR must comply with the NCR Security Classification Guide (DARPA-CG-502) as well as applicable DoD and U.S. government policies and regulations.
The Range must be capable of operating from Unclassified to Top Secret/Special Compartmentalized Information/Special Access Program with multiple simultaneous tests operating at different security levels and compartments.
Facilitate testing offensive against defensive capabilities, secure from spillage of malware characteristics and/or technology and leakage of malicious code from the range.
Ensure data does not spill across tests and testbeds while on the range or archived.
Sanitize resources securely and rapidly when resources are freed from tests.
Ensure a test does not perform an unintended denial of service on other tests – isolate performance interference.

2.4. Phase IV – Operate the NCR
Phase IV will consist of the performer conducting cyber testing operations on programs of national interest. At Government request, and contingent upon successful negotiation of a mutually agreeable contract between the Government and the performer in accordance with all applicable law (including the Competition in Contract Act, 10 USC 2304), the performer should be prepared to operate the NCR as a national research and development resource.

Phase IV proposal will include a 12 month period of performance, with an additional 12 month period of performance option exercisable at the sole discretion of the Government.
3. PROGRAM METRICS

In order for the Government to evaluate the effectiveness of a proposed solution in achieving the stated program objectives, proposers should note that the Government hereby promulgates the following program metrics that may serve as the basis for determining whether satisfactory progress is being made to warrant continued funding of the program. Although the following program metrics are specified, proposers should note that the government has identified these goals with the intention of bounding the scope of effort, while affording the maximum flexibility, creativity, and innovation in proposing solutions to the stated problem.

Proposals should cite the quantitative and qualitative success criteria that the proposed effort will achieve by the time of each Phase’s program metric measurement, as well as explain how the proposed effort will achieve those criteria.

3.1. MEETING Details
All meetings are expected to be conducted at the performer’s location(s), with the exception of the Kickoff Meeting, which may be conducted in the Washington, D.C. area. The purpose of the meetings is to demonstrate accomplishment and convey information and issues, not to generate documentation. Instead of written reports, a complete copy of the annotated review briefings should be provided to the meeting attendees. The performer will forward an electronic copy of the briefing to the DARPA PM within 2 days of the review.

Interim Progress Review (IPR) meetings will be conducted between phase kickoffs and end of phase reviews, and may include key test and demonstration events. The IPRs provide an opportunity for the government to view the activities in progress and provide additional insight or information as required. The value of the meetings will be in the breadth of material and level of detail and interaction with the team. IPRs are small working level meetings without formal documentation. Attendance at each IPR will be tailored based on the agenda, but the maximum government attendance should be 10-20 people.

3.2. Program Overview
Proposals, PDR efforts (Sec 2.1.1), CONOPS (Sec 2.1.2), and CDR efforts (Sec 2.2.1) should address the following three areas:

Understanding of Government’s Requirements. The performer must demonstrate its understanding (or provide its assumptions) of the NCR Objectives (functionality and performance requirements), the environment in which the NCR will operate, support concept, and the concept of operations. This understanding should include system constraints, important design considerations, the system’s interfaces with external systems, and interoperability and information support requirements.

Allocation of Requirements. The performer must show how (and why) it allocated functional and performance requirements to hardware and software configuration items, and human-system interfaces. The performer should show what derived requirements are involved in its decisions. The results of the prototyping efforts should provide the basis for a specification tree, and for developing subsystem specifications.

Synthesized Design. The performers should show what alternative combinations of components were considered, and the rationale for the final design chosen for the prototype. The detailed elements of the prototype design should be captured to the degree possible in terms of technical descriptions of the components, architecture, drawings, and draft process specifications if applicable. The performer should identify the areas of technical risk, and propose technical performance measures to track in future development.

3.3. Go/No-Go Metrics
DARPA will use the following measures to assess program development performance by phase. Ultimate program success will be based on accomplishing the program Objectives outlined in Sec 2. The Go/No-Go Metrics for Phase II – IV are notional and may change. The government will solidify the requirements after the Phase I Kick-Off meeting.

3.3.1. Phase I Go/No-Go Metrics
To be considered for selection for Phase II:

1) The Preliminary Design Review (PDR) of the Detailed Engineering Plan (Sec 2.1.1), and the Concept of Operation (Sec 2.1.2) must demonstrate the feasibility to meet the Phase III Program Objectives (Sec 2.3) including, but not limited to:
The PDR Detailed Engineering Plan is sufficient and ready to be put under configuration control.
The PDR System Demonstration Plan fully defines how the performer will complete the detailed design, development, fabrication and verification testing of its demonstrator system in Phase II.
The CONOPS clearly explains how the envisioned Phase III NCR will operate, and that this vision meets all Phase III objectives.
The critical path analysis is complete in a software tracking tool

2) The Phase II Proposal to build and operate a prototype NCR must meet the criteria specified in Sec 6.3.

3.3.2. Phase II Go/No-Go Metrics
To be considered for selection for Phase III:

1) Provide a CDR-level Detailed Engineering Plan and prototype demonstrating CDR-level capabilities and proposed means to meet NCR Phase III scale and Objectives.

2) Using the prototype range, demonstrate all program Objectives found in Sec 2.2.1 and:
Reconstitute test nodes within 30 minutes.
Reconfigure the range using recipes and configuration files within 2 hours.
Create a 100-node test from DARPA-provided specifications (network diagrams, configuration files, etc) within 6 hours.
Perform time synchronization across all machines to within 10 milliseconds (ms).
Provide quantitative metrics for traffic simulation, user replication, range instrumentation, and range verification of tools.

3) The Phase III and Phase IV Proposals to build and operate a full-scale NCR must meet the criteria specified in Sec 6.3.

3.3.3. Phase III Go/No-Go Metrics
Phase III will culminate with a go/no-go evaluation in the form of multiple, simultaneous tests of research technologies, architectures, and operational plans. To declare the NCR full operational capability (FOC):

1) Demonstrate all program Objectives outlines in Sec 2.3.

2) During a series of tests, successfully demonstrate NCR end-to-end Objectives by creating, loading, operating, and de-allocating several National tests, including:
Reconstitute test nodes with 15 minutes.
Reconfigure the range using recipes and configuration files within 1 hour.
Create a 10,000-node test from DARPA-provided requirements (network diagrams and configuration files) within 2 hours.
Perform time synchronization across all machines to within 1 millisecond (ms).
Within 4 hours, create logical instantiations of DARPA-provided physical native machine to the interrupt level, including chipset and peripheral cards, and score within 10% of native machine benchmarks.
Satisfactorily close all Test Director initiated trouble tickets within 4 hours.
Replicated networks perform within 10% of a physical network on DARPA-provided benchmarks.
Replicated humans demonstrate human-level behavior on 80% of all events.
Increase and decrease test time by at least 25% with no changes to test results.
4. Award Information

The Government’s obligation under this announcement and resulting contract award is dependent upon the availability of FY09 appropriated funds. As of the date of first publication of this BAA, FY09 funds have not been authorized or appropriated by Congress.

Multiple awards are possible. The amount of resources made available under this BAA will depend on the quality of the proposals received and the availability of funds.

The Government reserves the right to select for negotiation all, some, one, or none of the proposals received in response to this solicitation, and to make awards without discussions with proposers. The Government also reserves the right to conduct discussions if the Source Selection Authority later determines them to be necessary. If warranted, portions of resulting awards may be segregated into pre-priced options. Additionally, DARPA reserves the right to accept proposals in their entirety or to select only portions of proposals for award. In the event that DARPA desires to award only portions of a proposal, negotiations may be opened with that proposer. If the proposed effort is inherently divisible and nothing is gained from the aggregation, proposers should consider submitting it as multiple independent efforts. The Government reserves the right to fund proposals in phases with options for continued work at the end of one or more of the phases.

Awards under this BAA will be made to proposers on the basis of the evaluation criteria listed below (see Sec. 7.), and program balance to provide overall value to the Government. Proposals identified for negotiation may result in a procurement contract or other transaction for prototype.

5. Eligibility Information

5.1. ELIGIBLE APPLICANTS
All responsible sources capable of satisfying the Government’s needs may submit a proposal that shall be considered by DARPA. Historically Black Colleges and Universities (HBCUs), Small Businesses, Small Disadvantaged Businesses and Minority Institutions (MIs) are encouraged to submit proposals and join others in submitting proposals; however, no portion of this announcement will be set aside for these organizations’ participation due to the impracticality of reserving discrete or severable areas of this research for exclusive competition among these entities. Independent proposals from Government/National laboratories may be subject to applicable direct competition limitations, though certain Federally Funded Research and Development Centers are excepted per P.L. 103-337§ 217 and P.L 105-261 § 3136. Proposers from Government / National Laboratories must provide documentation to DARPA to establish that they are eligible to propose and have unique capabilities not otherwise available in private industry.

Classified participation is restricted to U.S. firms only. Foreign participants and/or individuals may participate to the extent that such participants comply with any necessary Non-Disclosure Agreements, Security Regulations, Export Control Laws, and other governing statutes applicable under the circumstances.

5.1.1. Procurement Integrity, Standards of Conduct, Ethical Considerations, and Organizational Conflicts of Interest
Current federal employees are prohibited from participating in particular matters involving conflicting financial, employment, and representational interests (18 USC 203, 205, and 208.). The DARPA Program Manager for this BAA is Dr. Michael VanPutte, (BAA08-43@darpa.mil). As of the date of first publication of the BAA, the Government has not identified any potential conflicts of interest involving this program manager. Once the proposals have been received, and prior to the start of proposal evaluations, the Government will assess potential conflicts of interest and will promptly notify the proposer if any appear to exist. (Please note the Government assessment does NOT affect, offset, or mitigate the proposer’s own duty to give full notice and planned mitigation for all potential organizational conflicts, as discussed below.) The Program Manager is required to review and evaluate all proposals received under this BAA and to manage all selected efforts. Proposers should carefully consider the composition of their performer team before submitting a proposal to this BAA.

All Proposers and proposed subcontractors must therefore affirm whether they are providing scientific, engineering, and technical assistance (SETA) or similar support to any DARPA technical office(s) through an active contract or subcontract. All affirmations must state which office(s) the Proposer supports and identify the prime contract numbers. Affirmations shall be furnished at the time of proposal submission. All facts relevant to the existence or potential existence of organizational conflicts of interest (FAR 9.5) must be disclosed. The disclosure shall include a description of the action the proposer has taken or proposes to take to avoid, neutralize, or mitigate such conflict. In accordance with FAR 9.503 and without prior approval or a waiver from the DARPA Director, a Contractor cannot simultaneously be a SETA and a Performer. Proposals that fail to fully disclose potential conflicts of interests and / or do not have plans to mitigate this conflict will be returned without technical evaluation and withdrawn from further consideration for award.

If a prospective Proposer believes that any conflict of interest exists or may exist (whether organizational or otherwise), the Proposer should promptly raise the issue with DARPA by sending Proposer’s contact information and a summary of the potential conflict by email to the mailbox address for this BAA at BAA08-43@darpa.mil, before time and effort are expended in preparing a proposal and mitigation plan. If, in the sole opinion of the Government after full consideration for the circumstances, any conflict situation cannot be effectively mitigated, the proposal may be returned without technical evaluation and withdrawn from further consideration for award under this BAA.

5.1.2. Performer Security Requirements
The National Cyber Range must be capable of testing unclassified to Top Secret/Special Compartmentalized Information/Special Access Program (TS/SCI/SAP) programs. Proposers must consider this when determining teaming.

The performer prime team, as well as anyone who would be capable of accessing classified information must have the appropriate clearances and access in accordance with DARPA, DoD and U.S. government policies and procedures. Subcontractors and team members who are developing technologies and procedures, but who will not have any access to the tested programs, technologies, data, or test results may not require the same level of clearance. It is the prime contractor’s or team leader’s responsibility to ensure all classified information, programs, technologies, data, and test results are protected in accordance with DARPA, DoD and U.S. government policies and procedures.

Questions regarding security should be directed to the National Cyber Range Security Classification Guide (DARPA-CG-502) or the DARPA Program Security Representative through the BAA Coordinator (page 5).

5.2. COST SHARING/MATCHING
Cost sharing is not required for this particular program; however, cost sharing will be carefully considered where there is an applicable statutory condition relating to the selected funding instrument (e.g., for any Other Transactions under the authority of 10 U.S.C. § 2371). Cost sharing is encouraged where there is a reasonable probability of a potential commercial application related to the proposed research and development effort.

5.3. OTHER ELIGIBILITY REQUIREMENTS

5.3.1. Collaborative Efforts
Collaborative efforts/teaming are encouraged. A website (https://www.davincinetbook.com/teams) has been established to facilitate formation of teaming arrangements between interested parties. Specific content, communications, networking, and team formation are the sole responsibility of the participants. Neither DARPA nor the Department of Defense (DoD) endorses the destination web site or the information and organizations contained therein, nor does DARPA or the DoD exercise any responsibility at the destination. This website is provided consistent with the stated purpose of this BAA.
6. Application and Submission Information

6.1. ADDRESS TO REQUEST APPLICATION PACKAGE AND CLASSIFIED ADDENDUM

This solicitation (DARPA-BAA-08-43) the Classified Addendum (Addendum to DARPA-BAA-08-43), and the Security Classification Guide (DARPA-CG-502) constitute the total BAA. These three documents contain all information required to submit a proposal. No additional forms, kits, or other materials are needed. No additional information is available, nor will a formal Request for Proposal (RFP) or additional solicitation regarding this announcement be issued. Requests for same will be disregarded.

Requests for the Classified Addendum (Addendum to DARPA-BAA-08-43) and the Security Classification Guide (DARPA-CG-502) will be accepted only from proposers who complete Attachment A, DARPA-BAA-08-43 Classified Packet Request Form. Email the Request Form to BAA08-43@darpa.mil with Subject line titled “Request BAA-08-43 Classified Packet” or fax to (703)-807-1762. Proposers are encouraged to submit this request as soon as possible to allow for adequate time for BAA Packet preparation and delivery. All requestors will receive a confirmation email with a delivery tracking number. Proof of facility clearance level (FCL) must be validated by the Program Security POC before any classified documentation on the BAA will be sent to the performer.

The Government anticipates Volume I proposals submitted under this BAA may be classified up to SECRET. Guidance regarding the marking, packaging and delivery of classified proposals is provided in the DD[RIS1] Form 254 “Contract Security Classification Specification” associated with this BAA. A DD Form 254 will be issued and attached as part of the award. A SECRET facility clearance and a SECRET safeguarding clearance will be required to perform awards issued under this BAA. The classified requirements for Phase I of the NCR program as contained in the Classified Addendum are classified SECRET//Collateral level and are available only to proposer who are cleared to handle such materials.

Performers selected to execute Phase II – IV may require additional personnel and facility clearance levels and will be addressed at a later date.

NOTE: Do not contact the contracting officer with respect to this announcement. All unclassified questions should be sent to BAA08-43@darpa.mil. Classified questions that may be classified should be sent to BAA 08-43 (Secure FAX (703) 526-4750/4749).

DARPA will provide cleared personnel an opportunity to view the Classified Addendum on May 12, 2008 prior to the NCR Proposers’ Day. Details for the Proposers’ Day and the Classified Addendum can be found on the Proposers’ Day Website (see Sec 9.1).

6.2. CONTENT AND FORM OF APPLICATION SUBMISSION

6.2.1. Proposal Information
This solicitation is for Phase I only. The government will solidify the requirements for follow-on phases after the Phase I Kick-Off meeting. Phase II – IV requirements are notional only.

Proposers are required to submit full Phase I proposals by the time and date specified in the BAA in order to be considered during the initial round of selection. Phase I proposals should include enough detail to permit DARPA to make an informed decision that the proposer has the technical knowledge, team, and understanding of government objectives to develop a full Phase III National Cyber Range (see Sec 2.3). The Phase I proposal should also include a tentative schedule and cost rough order of magnitude (ROM) for Phase II and III. The Phase II and III information will not be evaluated and is for DARPA planning purposes only.

DARPA may evaluate proposals received after the date specified in this BAA for a period of one year from the date posted on FedBizOpps. Selection remains contingent on availability of funds.

Proposals should be a consolidated effort to meet the Phase I requirements of this BAA. Phase I proposals must meet the objectives of Sec 2.1. Phase II proposals (due at the completion of Phase I) must meet the objectives of Sec 2.2. Phase III and Phase IV proposals (due at the completion of Phase II) must meet the objectives of Sec 2.3 and Sec 2.4, respectively.

Restrictive notices notwithstanding, proposals may be handled, for administrative purposes only, by a support contractor. This support contractor is prohibited from competition in DARPA technical research and is bound by appropriate nondisclosure requirements. Proposals may not be submitted by fax or e-mail; any so sent will be disregarded.

Proposals not meeting the format described in the BAA may not be reviewed.

Proposers must submit an original and eight (8) copies of the full proposal and two (2) electronic copies of the proposal [in PDF (preferred)] on a CD-ROM. Each copy must be clearly labeled with DARPA-BAA-08-43, proposer organization, proposal title (short title recommended), and Copy _ of 8.

All administrative correspondence and questions on this solicitation, including requests for information on how to submit a proposal to this BAA, should be directed to one of the administrative addresses below.

Points of Contact: The BAA Coordinator for this effort can be reached at:

Unclassified fax (703) – 807-1762, electronic mail: baa08-43@darpa.mil.
Classified fax (703) – 526-4749/50, (SIPRNet) baa08-43@darpa.smil.mil

DARPA/STO
ATTN: BAA08-43
3701 North Fairfax Drive
Arlington, VA 22203-1714

Program Website: http://www.darpa.mil/sto/solicitations/BAA08-43/index.html

DARPA intends to use electronic mail and fax for correspondence regarding DARPA-BAA-08-43. Proposals may not be submitted by fax or e-mail; any so sent will be disregarded. DARPA encourages use of the Internet for retrieving the BAA and other related information that may subsequently be provided.

6.2.2. Restrictive Markings on Proposals
All proposals should clearly indicate limitations on the disclosure of their contents. Proposers who include in their proposals data that they do not want disclosed to the public for any purpose, or used by the Government except for evaluation purposes, shall-

(1) Mark the title page with the following legend:
This proposal includes data that shall not be disclosed outside the Government and shall not be duplicated, used, or disclosed-in whole or in part-for any purpose other than to evaluate this proposal. If, however, a contract is awarded to this proposer as a result of, or in connection with, the submission of this data, the Government shall have the right to duplicate, use, or disclose the data to the extent provided in the resulting contract. This restriction does not limit the Government’s right to use information contained in this data if it is obtained from another source without restriction. The data subject to this restriction are contained in sheets [insert numbers or other identification of sheets]; and
(2) Mark each sheet of data it wishes to restrict with the following legend:
Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal.
Markings like “Company Confidential” or other phrases that may be confused with national security classifications shall be avoided. See Section 8.0, for additional information.

6.3. FORMATTING CHARACTERISTICS

6.3.1. Proposal Format
All proposals must be in the format given below. Nonconforming proposals may be rejected without review. Proposals shall consist of two volumes. All pages shall be printed on 8-1/2 by 11 inch paper with type not smaller than 12 point. Smaller font may be used for figures, tables and charts. The page limitation for proposals includes all figures, tables, and charts. Volume I, Technical and Management Proposal, may include an attached bibliography of relevant technical papers or research notes (published and unpublished) which document the technical ideas and approach upon which the proposal is based. Copies of not more than three (3) relevant papers can be included with the submission. The bibliography and attached papers are not included in the page counts given below. The submission of other supporting materials along with the proposals is strongly discouraged and will not be considered for review. Except for the attached bibliography and Section I, Volume I shall not exceed {90} number pages. Maximum page lengths for each section are shown in braces { } below. All proposals must be written in English.

6.3.1.1. Phase I Volume I, Technical and Management Proposal

Section I. Administrative
A.{1} Cover sheet to include:
(1) BAA number
(2) Lead Organization submitting proposal
(3) Type of business, selected among the following categories: “LARGE BUSINESS”, “SMALL DISADVANTAGED BUSINESS”, “OTHER SMALL BUSINESS”, “HBCU”, “MI”, “OTHER EDUCATIONAL”, OR “OTHER NONPROFIT”
(4) Contractor’s reference number (if any)
(5) Other team members (if applicable) and type of business for each
(6) Proposal title
(7) Technical point of contact to include: salutation, last name, first name, street address, city, state, zip code, telephone, fax (if available), electronic mail (if available)
(8) Administrative point of contact to include: salutation, last name, first name, street address, city, state, zip code, telephone, fax (if available), electronic mail (if available), total funds requested from DARPA, and the amount of cost share (if any) and
(9) Date proposal was submitted.
B.{1} Official transmittal letter.

Section II. Summary of Proposal
This section provides an overview of the proposed work as well as an introduction to the associated technical and management issues. Further elaboration will be provided in Section III.
A.{2} Executive Summary. Provide a summary of the proposal that quickly and succinctly indicates the main objective, key innovations, expected impact, and other unique aspects of the proposal.
B.{6} Innovative claims for the proposed research. This section is the centerpiece of the proposal and should succinctly describe the uniqueness and benefits of the proposed approach relative to the current state-of-art alternate approaches.
C.{6} Deliverables associated with the proposed research and the plans and capability to accomplish technology transition and commercialization. Include in this section all proprietary claims to the results, prototypes, intellectual property, or systems supporting and/or necessary for the use of the research, results, and/or prototype. If there are not proprietary claims, this should be stated.
D.{4} Cost, schedule and payable milestones for the proposed research, including estimates of cost for each task in each year of the effort delineated by the prime and major subcontractors, total cost and company cost share, if applicable. Note: Measurable critical milestones should occur every month after start of effort. These payable milestones should enable and support a go/no go decision for the next part of the effort. Additional interim non-critical management milestones are also highly encouraged at a regular interval.
E.{4} Technical rationale, technical approach, and constructive plan for accomplishment of technical goals in support of innovative claims and deliverable production. (In the proposal, this section should be supplemented by a more detailed plan in Section III.)
F.{4} General discussion of other research in this area.
G.{4} A clearly defined organization chart for the program team which includes, as applicable: (1) the programmatic relationship of team member; (2) the unique capabilities of team members; (3) the task of responsibilities of team members; (4) the teaming strategy among the team members; and (5) the key personnel along with the amount of effort to be expended by each person during each year; (6) Points of contact for each subcontractor/teaming partner to include salutation, last name, first name, telephone number, fax number, email address, security POC and contact information.
H.{1} A one-slide penta-chart (see http://www.darpa.mil/sto/solicitations/BAA08-43/index.html) summary of the proposal in PowerPoint that quickly and succinctly indicates the main objective, key innovations, expected impact, and other unique aspects of the proposal.

Section III. Detailed Proposal Information/Initial Conceptual Design
This section provides the detailed discussion of the proposed work necessary to enable an in-depth review of the specific technical and managerial issues. Specific attention must be given to addressing both risk and payoff of the proposed work that make it desirable to DARPA. This section will include the proposers Initial Conceptual Design.

A.{12} Statement of Work (SOW) – In plain English, clearly define the technical tasks/subtasks to be performed, their durations, and dependencies among them. The page length for the SOW will be dependent on the amount of the effort. For each task/subtask, provide:
A general description of the objective (for each defined task/activity).
A detailed description of the approach to be taken to accomplish each defined task/activity).
Identification of the primary organization responsible for task execution (prime, sub, team member, by name, etc.).
The exit criteria for each task/activity – a product, event or milestone that defines its completion.
Define all deliverables (reporting, data, reports, software, etc.) to be provided to the Government in support of the proposed research tasks/activities.

Note: It is recommended that the SOW be developed so that each Phase of the program is separately defined. Do not include any proprietary information in the SOW.

B.{4} Description of the results, products, transferable technology, and expected technology transfer path enhancing that of Section II. B.
C.{8} Detailed technical rationale enhancing that of Section II.
D.{4} Detailed technical approach enhancing and completing that of Section II.
E.{4} Comparison with other ongoing research indicating advantages and disadvantages of the proposed effort.
F.{6} Discussion of proposer’s previous accomplishments and work in closely related research areas.
G.{6} Description of the facilities that would be used for the proposed effort.
H.{6} Detail support enhancing that of Section II, including formal teaming agreements which are required to execute this program.
I.{10} Cost schedules and milestones for the proposed research, including estimates of cost for each task in each year of the effort delineated by the primes and major subcontractors, total cost, and any company cost share. Note: Measurable critical milestones should occur every month after start of effort. These milestones should enable and support a go/no go decision for the next part of the effort. Additional interim non-critical management milestones are also highly encouraged at regular intervals. Where the effort consists of multiple portions which could reasonably be partitioned for purposes of funding, these should be identified as options with separate cost estimates for each. Additionally, proposals should clearly explain the technical approach (es) that will be employed to meet or exceed each program metric and provide ample justification as to why the approach (es) is/are feasible. Performers should address program metrics, and how they anticipate meeting these metrics.

Section IV. Additional Information
A brief bibliography of relevant technical papers and research notes (published and unpublished) which document the technical ideas upon which the proposal is based. Copies of not more than three (3) relevant papers can be included in the submission.

6.3.1.2. Phase I Volume II, Cost Proposal – {No Page Limit}
Cover sheet to include:
(1) BAA number;
(2) Technical area;
(3) Lead Organization Submitting proposal;
(4) Type of business, selected among the following categories: “LARGE BUSINESS”, “SMALL DISADVANTAGED BUSINESS”, “OTHER SMALL BUSINESS”, “HBCU”, “MI”, “OTHER EDUCATIONAL”, OR “OTHER NONPROFIT”;
(5) Contractor’s reference number (if any);
(6) Other team members (if applicable) and type of business for each;
(7) Proposal title;
(8) Technical point of contact to include: salutation, last name, first name, street address, city, state, zip code, telephone, fax (if available), electronic mail (if available);
(9) Administrative point of contact to include: salutation, last name, first name, street address, city, state, zip code, telephone, fax (if available), and electronic mail (if available);
(10) Award instrument requested: cost-plus-fixed-free (CPFF), cost-contract—no fee, cost sharing contract – no fee, or other type of procurement contract (specify);
(11) Place(s) and period(s) of performance;
(12) Total proposed cost separated by basic award and option(s) (if any);
(13) Name, address, and telephone number of the proposer’s cognizant Defense Contract Management Agency (DCMA) administration office (if known);
(14) Name, address, and telephone number of the proposer’s cognizant Defense Contract Audit Agency (DCAA) audit office (if known);
(15) Date proposal was prepared;
(16) DUNS number;
(17) TIN number; and
(18) Cage Code;
(19) Subcontractor Information; and
(20) Proposal validity period
(21) Any Forward Pricing Rate Agreement, other such approved rate information, or such other documentation that may assist in expediting negotiations (if available).

Detailed cost breakdown to include:
(1)total program cost broken down by major cost items to include:
i.direct labor, including individual labor categories or persons, with associated labor hours and numbered direct labor rates
ii.If consultants are to used, proposer must provide consultant agreement or other document which verifies the proposed loaded daily/hourly rate
iii.Indirect costs including Fringe Benefits, Overhead, General and Administrative Expense, Cost of Money, etc. (Must show base amount and rate)
iv.Travel – Number of trips, number of days per trip, departure and arrival destinations, number of people, etc.
v.Other Direct Costs – Should be itemized with costs or estimated costs. Backup documentation should be submitted to support proposed costs.
(2)major program tasks by fiscal year
(3)an itemization of major subcontracts and equipment purchases, to include: a cost proposal as detailed as the Proposer’s cost proposal; the subcontractor’s cost proposal can be provided in a sealed envelope with the Proposer’s cost proposal. Materials should be specifically itemized with costs or estimated costs. An explanation of any estimating factors, including their derivation and application, shall be provided. Please include a brief description of the Proposers’ procurement method to be used;
(4)an itemization of any information technology (IT) purchase including subcontractor cost (NOTE: For IT equipment purchases, include a letter stating why the proposer cannot provide the requested resources from its own funding);
(5) a summary of projected funding requirements by month;
(6) the source, nature, and amount of any industry cost-sharing. Where the effort consists of multiple portions which could reasonably be partitioned for purposes of funding, these should be identified as options with separate cost estimates for each; and identification of pricing assumptions of which may require incorporation into the resulting award instrument (e.g., use of Government Furnished / Facilities / Information, access to Government Subject Matter Expert/s, etc., and;
(7) a Tentative Schedule and Cost Rough Order of Magnitude (ROM) for Phase II and III. This Phase II and III information will not be evaluated and is for DARPA planning purposes only.

The prime contractor is responsible for compiling and providing all subcontractor proposals for the Procuring Contracting Officer (PCO). Subcontractor proposals should include Interdivisional Work Transfer Agreements (ITWA) or similar arrangements.

Supporting cost and pricing information in sufficient detail to substantiate the summary cost estimates in B. above. Include a description of the method used to estimate costs and supporting documentation. Note: “cost or pricing data” as defined in FAR Subpart 15.4 shall be required if the proposer is seeking a procurement contract or other transaction for prototype award of $650,000 or greater unless the proposers request an exception from the requirement to submit cost of pricing data. All proprietary subcontractor proposal documentation, prepared at the same level of detail as that required of the prime, shall be made immediately available to the Government, upon request, under separate cover (i.e., mail, electronic / email, etc.), either by the Proposer or by the subcontractor organization.

OCI Mitigation Plan (if applicable) to detail what steps the contractor is performing to mitigate an actual or perceived conflict of interest.

6.4. SUBMISSION DATES AND TIMES

6.4.1. Proposal Date
The proposal (original and eight (8) hard and two (2) electronic copies) must be submitted to DARPA/STO, 3701 North Fairfax Drive, Arlington, VA 22203-1714 (Attn.: BAA08-43) on or before 4:00 p.m., Eastern time, June 30, 2008, in order to be considered during the initial round of selections; however, proposals received after this deadline may be received and evaluated up to one year from date of posting on FedBizOpps. Proposals submitted after the due date specified in the BAA may be selected contingent upon the availability of funds.

DARPA will post a consolidated Question and Answer response after May 23, 2008, before final full proposals are due. In order to receive a response to your question, submit your question by May 19, 2008 to BAA08-43@darpa.mil or BAA08-43@darpa.smil.mil (classified) with a subject line “BAA 08-43 Question”.

The proposal (original and eight (8) hard and two (2) electronic copies) must be submitted in time to reach DARPA by June 30, 2008, in order to be considered during the initial evaluation phase; however, BAA-08-43 will remain open for one year from date of publication. Proposals may be submitted at any time from issuance of this announcement through the closing date; however, proposers are warned that the likelihood of funding is greatly reduced for proposals submitted after the initial closing date deadline.

DARPA will acknowledge receipt of complete submissions via email and assign control numbers that should be used in all further correspondence regarding proposals.

Failure to comply with the submission procedures may result in the submission not being evaluated.

6.5. INTERGOVERNMENTAL REVIEW
Not Applicable.

6.6. FUNDING RESTRICTIONS
Construction for this program must be approved in advance and in writing by DARPA.

All purchases of information technology (IT) must include itemized costs or estimated costs, cost justification, and a letter stating why the proposer cannot provide the requested resources from its own funding, as well as an explanation of any estimating factors, including their derivation and application, shall be provided. Please include a brief description of the Proposers’ procurement method to be used.

Awards will not allow reimbursement of pre-award costs.
7. Application Review Information

7.1. PROPOSAL EVALUATION CRITERIA

Evaluation of proposals will be accomplished through a scientific/technical review of each proposal using the following criteria, in order of descending importance: (a) Ability to Meet Program Go/No Metrics, (b) Overall Scientific and Technical Merit; (c) Proposer’s Capabilities and/or Related Experience; (d) Realism of Proposed Schedule; (e) Potential Contribution and Relevance to the DARPA Mission; (f) Plans and Capability to Accomplish Technology Transition; and (g) Cost Realism. Proposals will not be evaluated against each other since they are not submitted in accordance with a common work statement. DARPA’s intent is to review proposals as soon as possible after they arrive; however, proposals may be reviewed periodically for administrative reasons. The following are descriptions of the above listed criteria:

7.1.1. Ability to Meet Program Go/No-Go Metrics
The proposal clearly explains the technical approach(es) that will be employed to meet or exceed each program metric listed in BAA 08-43 Section 3.3.1 Phase I Go/No-Go Metrics. The feasibility and likelihood of the proposed approach for satisfying the Go/No-Go Metrics are explicitly described and clearly substantiated. The proposal reflects a mature and quantitative understanding of the program Go/No-Go metrics, the statistical confidence with which they may be measured, and their relationship to the concept of operations that will result from successful performance in the program.

7.1.2. Overall Scientific and Technical Merit
The proposed technical approach is feasible, achievable, complete and supported by a proposed technical team that has the expertise and experience to accomplish the proposed tasks as referenced in Section 6.3.1.1, Sub-section III, Detailed Technical Proposal. Task descriptions and associated technical elements provided are complete and in a logical sequence with all proposed deliverables clearly defined such that a final product that achieves the goal can be expected as a result of award. The proposal clearly identifies major technical risks and planned mitigation efforts and provides ample justification as to why the approach(es) is / are feasible.

7.1.3. Proposer’s Capabilities and/or Related Experience
The proposer’s prior experience in similar efforts must clearly demonstrate an ability to deliver products that meet the proposed technical performance within the proposed budget and schedule. The proposed team’s expertise to manage the cost and schedule will be evaluated. Similar efforts completed/ongoing by the proposer in this area are fully described including identification of other Government sponsors.

7.1.4. Realism of Proposed Schedule
The proposer’s abilities to aggressively pursue evaluation criteria and performance metrics in the shortest timeframe and to accurately account for that timeframe will be evaluated, as well as proposer’s ability to understand, identify, and mitigate any potential risk in schedule.

7.1.5. Potential Contribution and Relevance to the DARPA Mission
The potential contributions of the proposed effort with relevance to the national technology base will be evaluated. Specifically, DARPA’s mission is to maintain the technological superiority of the U.S. and prevent technological surprise from harming our national security by sponsoring revolutionary, high-payoff research that bridges the gap between fundamental discoveries and their use.

7.1.6. Plans and Capability to Accomplish Technology Transition
The capability to transition the technology to the research, industrial, and operational military communities in such a way as to enhance U.S. defense, and the extent to which intellectual property rights limitations creates a barrier to technology transition. The extent to which liberal, public-use intellectual property rights to hardware, software (maximizing open source use where feasible), design information, and documentation, beyond the minimum requirements of this solicitation is proposed.

7.1.7. Cost Realism
The objective of this criterion is to establish that the proposed costs are realistic for the technical and management approach offered, as well as to determine the proposer’s practical understanding of the effort. This will be principally measured by cost per labor-hour and number of labor-hours proposed. The evaluation criterion recognize that undue emphasis on cost may motivate proposers to offer low-risk ideas with minimum uncertainty and to staff the effort with junior personnel in order to be in a more competitive posture. DARPA discourages such cost strategies. Cost reduction approaches that will be received favorably include innovative management concepts that maximize direct funding for technology and limit diversion of funds into overhead.

After selection and before award the contracting officer will negotiate cost/price reasonableness.

Award(s) will be made to proposers whose proposals are determined to be the most advantageous to the Government, all factors considered, including the potential contributions of the proposed work to the overall research program and the availability of funding for the effort. Award(s) may be made to any proposer(s) whose proposal(s) is determined selectable regardless of its overall rating.

NOTE: PROPOSERS ARE CAUTIONED THAT EVALUATION RATINGS MAY BE
LOWERED AND/OR PROPOSALS REJECTED IF SUBMITTAL INSTRUCTIONS ARE NOT FOLLOWED.

7.2. REVIEW AND RECOMMENDATION PROCESS
It is the policy of DARPA to ensure impartial, equitable, comprehensive proposal evaluations and to select the source (or sources) whose offer meets the Government’s technical, policy, and programmatic goals. Pursuant to FAR 35.016, the primary basis for selecting proposals for acceptance shall be technical, importance to agency programs, and fund availability. In order to provide the desired evaluation, qualified Government personnel will conduct reviews and (if necessary) convene panels of experts in the appropriate areas.

Proposals will not be evaluated against each other since they are not submitted in accordance with a common work statement. DARPA’s intent is to review proposals as soon as possible after they arrive; however, proposals may be reviewed periodically for administrative reasons. For evaluation purposes, a proposal is the document described in “Proposal Information”, Section 6.2.1. Other supporting or background materials submitted with the proposal will be considered for the reviewer’s convenience only and not considered as part of the proposal.

Restrictive notices notwithstanding, proposals may be handled for administrative purposes by support contractors. These support contractors are prohibited from competition in DARPA technical research and are bound by appropriate non-disclosure requirements.

Subject to the restrictions set forth in FAR 37.203(d), input on technical aspects of the proposals may be solicited by DARPA from non-Government consultants /experts who are strictly bound by the appropriate non-disclosure requirements.

It is the policy of DARPA to treat all proposals as competitive information and to disclose their contents only for the purpose of evaluation. No proposals will be returned. Upon completion of the source selection process, the original of each proposal received will be retained at DARPA and all other copies will be destroyed.

8. Award Administration Information

8.1. AWARD NOTICES
As soon as the evaluation of a proposal is complete, the proposers will be notified that 1) the proposal has been selected for funding pending contract negotiations, or 2) the proposal has not been selected. These official notifications will be sent via U.S. mail to the Technical POC identified on the proposal coversheet.

8.2. ADMINISTRATIVE AND NATIONAL POLICY REQUIREMENTS

8.2.1. Security
Volume I (Technical and Management Proposals) submitted under this BAA may be classified up to SECRET in accordance with the DARPA Security Classification Guide (DARPA-CG-502). Volume II (Financial Proposals) will be unclassified. The anticipated award document for Phase I will be unclassified and for follow-on phases may be classified. See Section 6.1 for information on obtaining the Classified Addendum and Security Classification Guide.

A DD Form 254 will be issued and attached as part of the award. Proposers choosing to submit a classified proposal must first receive permission from the Original Classification Authority to use their information in replying to this BAA. Applicable classification guide(s) should be submitted to ensure that the proposal is protected appropriately.

Classified submissions shall be in accordance with the following guidance:

Collateral Classified Information: Use classification and marking guidance provided by previously issued security classification guides, the Information Security Regulation (DoD 5200.1-R), and the National Industrial Security Program Operating Manual (DoD 5220.22-M) when marking and transmitting information previously classified by another original classification authority. Classified information at the Confidential and Secret level may only be mailed via U.S. Postal Service (USPS) Registered Mail or U.S. Postal Service Express Mail. All classified information will be enclosed in opaque inner and outer covers and double wrapped. The inner envelope shall be sealed and plainly marked with the assigned classification and addresses of both sender and addressee. The inner envelope shall be address to:
Defense Advanced Research Projects Agency
ATTN: STO
Reference: (BAA08-43)
3701 North Fairfax Drive
Arlington, VA 22203-1714

The outer envelope shall be sealed with no identification as to the classification of its contents and addressed to:
Defense Advanced Research Projects Agency
Security & Intelligence Directorate, Attn: CDR
3701 North Fairfax Drive
Arlington, VA 22203-1714

All Top Secret materials should be hand carried via an authorized, two-person courier team to the DARPA CDR.

Special Access Program (SAP) Information: Contact the DARPA Special Access Program Central Office (SAPCO) 703-526-4052 for further guidance and instructions prior to transmitting SAP information to DARPA. Top Secret SAP, must be transmitted via approved methods for such material. Consult the DoD Overprint to the National Industrial Security Program Operating Manual for further guidance. Prior to transmitting SAP material, it is strongly recommended that you coordinate your submission with the DARPA SAPCO.

Sensitive Compartmented Information (SCI) Data: Contact the DARPA Special Security Office (SSO) at 703-812-1994/1993 for the correct SCI courier address and instructions. All SCI should be transmitted through your servicing Special Security Officer (SSO). SCI data must be transmitted through SCI channels only (i.e., approved SCI Facility to SCI facility via secure fax).

Proprietary Data: All proposals containing proprietary data should have the cover page and each page containing proprietary data clearly marked as containing proprietary data. It is the Proposers’ responsibility to clearly define to the Government what is considered proprietary data.

Proposers must have existing and in-place prior to execution of an award, approved capabilities (personnel and facilities) to perform research and development at the classification level they propose. It is the policy of DARPA to treat all proposals as competitive information, and to disclose their contents only for the purpose of evaluation. Proposals will not be returned. The original of each proposal received will be retained at DARPA and all other non-required copies destroyed. A certification of destruction may be requested, provided that the formal request is received at this office within 5 days after unsuccessful notification.

8.3. INTELLECTUAL PROPERTY
A goal of the NCR program is to develop a toolkit that the government may provide to any party it authorizes to conduct cyber testing at any authorized facility. The Government expects liberal intellectual property rights, including particularly software and technical data, with respect to all aspects of the NCR developed under this program. To this end, liberal intellectual property rights are an express element of the Plans and Capability to Accomplish Technology Transition Evaluation Criterion (see Section 7.1.6).

The Government encourages the Contractors to develop software pursuant toSection 8.3.2, as open source software, insofar as permitted by applicable laws and export regulations.

The government must be able to transfer that software to any party the government chooses. This applies to all software that is developed by or a component of the performer or team as part of their deliverables. This does not apply to commercial or publicly available software that the government may at any time obtain (such as operations systems, compilers, databases).

At minimum, the Government requires:

1. Unlimited Rights to: (a) hardware and software interface specification that would enable third-party vendors to develop NCR components and plug-in systems that would seamlessly interface with the performer’s range architecture; (b) the design of the hardware and software systems that enables the “packaging” and insertion of standard NCR components as peripherals; and (c) top-level system specifications, graphics, and performance metrics to enable effective program representation at conferences and trade shows.

2. Government Purpose Rights for five (5) years, subsequently reverting to Unlimited Rights, to: (a) all algorithms, software, protocols, hardware and software interfaces, and accompanying documentation that are not commercial software and are developed or modified under this program; (b) sufficient data to enable independent verification of milestone criteria, test results, performance predictions, and the Contractor’s technical and financial progress; and (c) system details necessary to brief program or component technical progress and accomplishments.

The Government may choose to accept Limited or Restricted Rights on other items. Additional requirements may later be identified and may become part of future phases. The performer shall be responsible for marking appropriately (by page) all data delivered to the Government to which the Government has less than Unlimited Rights.

Proposers should not include background proprietary software and data as the basis of their proposed approach unless the proposal includes granting full control to the government. Proposers expecting to utilize, but not to deliver, open source tools or other materials in implementing their approach must ensure that the government does not incur any legal obligation due to such utilization. All references to “unlimited” or “government purpose rights” are intended to refer to the definitions of those terms as set forth in the Defense Federal Acquisition Regulation Supplement (DFARS) Part 227.

Thus, proposals that come with rights other than discussed above will be penalized during the assessment.

8.3.1. Procurement Contract Proposers

8.3.1.1. Noncommercial Items (Technical Data and Computer Software)
Proposers responding to this BAA requesting a procurement contract to be issued under the FAR/DFARS, shall identify all noncommercial technical data, and noncommercial computer software that it plans to generate, develop, and/or deliver under any proposed award instrument in which the Government will acquire less than unlimited rights, and to assert specific restrictions on those deliverables. Proposers shall follow the format under DFARS 252.227-7017 for this stated purpose. In the event that proposers do not submit the list, the Government will assume that it automatically has “unlimited rights” to all noncommercial technical data and noncommercial computer software generated, developed, and/or delivered under any award instrument, unless it is substantiated that development of the noncommercial technical data and noncommercial computer software occurred with mixed funding. If mixed funding is anticipated in the development of noncommercial technical data, and noncommercial computer software generated, developed, and/or delivered under any award instrument, then proposers should identify the data and software in question, as subject to Government Purpose Rights (GPR). In accordance with DFARS 252.227-7013 Rights in Technical Data – Noncommercial Items, and DFARS 252.227-7014 Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation, the Government will automatically assume that any such GPR restriction is limited to a period of five (5) years in accordance with the applicable DFARS clauses, at which time the Government will acquire “unlimited rights” unless the parties agree otherwise. Proposers are admonished that the Government will use the list during the source selection evaluation process to evaluate the impact of any identified restrictions, and may request additional information from the proposer, as may be necessary, to evaluate the proposer’s assertions. If no restrictions are intended, then the proposer should state “NONE.”

A sample list for complying with this request is as follows:

NONCOMMERCIAL
Technical Data Computer Software To be Furnished With Restrictions
Basis for Assertion

Asserted Rights Category

Name of Person Asserting Restrictions

(LIST)
(LIST)
(LIST)
(LIST)

8.3.1.2. Commercial Items (Technical Data and Computer Software)
Proposers responding to this BAA requesting a procurement contract to be issued under the FAR/DFARS, shall identify all commercial technical data, and commercial computer software that may be embedded in any noncommercial deliverables contemplated under the research effort, along with any applicable restrictions on the Government’s use of such commercial technical data and/or commercial computer software. In the event that proposers do not submit the list, the Government will assume that there are no restrictions on the Government’s use of such commercial items. The Government may use the list during the source selection evaluation process to evaluate the impact of any identified restrictions, and may request additional information from the proposer, as may be necessary, to evaluate the proposer’s assertions. If no restrictions are intended, then the proposer should state “NONE.”

A sample list for complying with this request is as follows:

COMMERCIAL
Technical Data Computer Software To be Furnished With Restrictions
Basis for Assertion

Asserted Rights Category

Name of Person Asserting Restrictions

(LIST)
(LIST)
(LIST)
(LIST)

8.3.2. Noncommercial and Commercial Items (Technical Data and Computer Software)
Proposers responding to this BAA requesting an Other Transaction shall follow the applicable rules and regulations governing that instrument, but in all cases should appropriately identify any potential restrictions on the Government’s use of any Intellectual Property contemplated under that award instrument. This includes both Noncommercial Items and Commercial Items. Although not required, proposers may use a format similar to that described in Paragraphs 8.3.1.1 and 8.3.1.2 above. The Government may use the list during the source selection evaluation process to evaluate the impact of any identified restrictions, and may request additional information from the proposer, as may be necessary, to evaluate the proposer’s assertions. If no restrictions are intended, then the proposer should state “NONE.”

8.3.3. All Proposers – Patents
Include documentation proving your ownership of or possession of appropriate licensing rights to all patented inventions (or inventions for which a patent application has been filed) that will be utilized under your proposal for the DARPA program. If a patent application has been filed for an invention that your proposal utilizes, but the application has not yet been made publicly available and contains proprietary information, you may provide only the patent number, inventor name(s), assignee names (if any), filing date, filing date of any related provisional application, and a summary of the patent title, together with either: 1) a representation that you own the invention, or 2) proof of possession of appropriate licensing rights in the invention.

8.3.4. All Proposers-Intellectual Property Representations
Provide a good faith representation that you either own or possess appropriate licensing rights to all other intellectual property that will be utilized under your proposal for the DARPA program. Additionally, proposers shall provide a short summary for each item asserted with less than unlimited rights that describes the nature of the restriction and the intended use of the intellectual property in the conduct of the proposed research.

8.4. MEETING AND TRAVEL REQUIREMENTS
There is a Program Kickoff meeting tentatively scheduled for November 18, 2008 and all key participants are required to attend. Performers should also anticipate periodic site visits at the Program Manager’s discretion.

8.5. HUMAN USE
All research involving human subjects, to include use of human biological specimens and human data, selected for funding must comply with the federal regulations for human subject protection. Further, research involving human subjects that is conducted or supported by the DoD must comply with 32 CFR 219, Protection of Human Subjects (http://www.dtic.mil/biosys/downloads/32cfr219.pdf), and DoD Directive 3216.02, Protection of Human Subjects and Adherence to Ethical Standards in DoD-Supported Research (http://www.dtic.mil/whs/directives/corres/html2/d32162x.htm).

Institutions awarded funding for research involving human subjects must provide documentation of a current Assurance of Compliance with Federal regulations for human subject protection, for example a Department of Health and Human Services, Office of Human Research Protection Federal Wide Assurance (http://www.hhs.gov/ohrp). All institutions engaged in human subject research, to include subcontractors, must also have a valid Assurance. In addition, personnel involved in human subjects research must provide documentation of completing appropriate training for the protection of human subjects.

For all proposed research that will involve human subjects in the first year or phase of the project, the institution must provide evidence of or a plan for review by an Institutional Review Board (IRB) upon final proposal submission to DARPA. The IRB conducting the review must be the IRB identified on the institution’s Assurance. The protocol, separate from the proposal, must include a detailed description of the research plan, study population, risks and benefits of study participation, recruitment and consent process, data collection, and data analysis. Consult the designated IRB for guidance on writing the protocol. The informed consent document must comply with federal regulations (32 CFR 219.116). A valid Assurance along with evidence of appropriate training all investigators should all accompany the protocol for review by the IRB.

In addition to a local IRB approval, a headquarters-level human subjects regulatory review and approval is required for all research conducted or supported by the DoD. The Army, Navy, or Air Force office responsible for managing the award can provide guidance and information about their component’s headquarters-level review process. Note that confirmation of a current Assurance and appropriate human subjects protection training is required before headquarters-level approval can be issued.

The amount of time required to complete the IRB review/approval process may vary depending on the complexity of the research and/or the level of risk to study participants. Ample time should be allotted to complete the approval process. The IRB approval process can last between one to three months, followed by a DoD review that could last between three to six months. No DoD/DARPA funding can be used towards human subjects research until ALL approvals are granted.

8.6. ANIMAL USE
Any Recipient performing research, experimentation, or testing involving the use of animals shall comply with the rules on animal acquisition, transport, care, handling, and use in: (i) 9 CFR parts 1-4, Department of Agriculture rules that implement the Laboratory Animal Welfare Act of 1966, as amended, (7 U.S.C. 2131-2159); and (ii) the guidelines described in National Institutes of Health Publication No. 86-23, “Guide for the Care and Use of Laboratory Animals.”

For submissions containing animal use, proposals should briefly describe plans for Institutional Animal Care and Use Committee (IACUC) review and approval. Animal studies in the program will be expected to comply with the PHS Policy on Humane Care and Use of Laboratory Animals, available at http://grants.nih.gov/grants/olaw/olaw.htm.

All Recipients must receive approval by a DoD certified veterinarian, in addition to an IACUC approval. No animal studies may be conducted using DoD/DARPA funding until the USAMRMC Animal Care and Use Review Office (ACURO) or other appropriate DoD veterinary office(s) grant approval. As a part of this secondary review process, the Recipient will be required to complete and submit an ACURO Animal Use Appendix, which may be found at https://mrmc.amedd.army.mil/AnimalAppendix.asp

8.7. PUBLIC RELEASE OR DISSEMINATION OF INFORMATION
The following provision will be incorporated into any resultant contract:

(a) There shall be no dissemination or publication, except within and between the Contractor and any subcontractors, of information developed under this contract or contained in the reports to be furnished pursuant to this contract without prior written approval of the DARPA Technical Information Officer (DARPA/TIO). All technical reports will be given proper review by appropriate authority to determine which Distribution Statement is to be applied prior to the initial distribution of these reports by the Contractor. Papers resulting from unclassified contracted fundamental research are exempt from prepublication controls and this review requirement, pursuant to DoD Instruction 5230.27 dated October 6, 1987.

(b) When submitting material for written approval for open publication as described in subparagraph (a) above, the Contractor must submit a request for public release request to the DARPA TIO and include the following information: 1) Document Information: document title, document author, short plain-language description of technology discussed in the material (approx 30 words), number of pages (or minutes of video) and document type (briefing, report, abstract, article, or paper); 2) Event Information: event type (conference, principle investigator meeting, article or paper), event date, desired date for DARPA’s approval; 3) DARPA Sponsor: DARPA Program Manager, DARPA office, and contract number; and 4) Contractor’s Information: POC name, e-mail and phone. Allow four weeks for processing; due dates under four weeks require a justification. Unusual electronic file formats may require additional processing time. Requests can be sent either via e-mail to tio@darpa.mil or via 3701 North Fairfax Drive, Arlington VA 22203-1714, telephone (571) 218-4235. Refer to www.darpa.mil/tio for information about DARPA’s public release process.

8.8. EXPORT CONTROL
Should this project develop beyond fundamental research (basic and applied research ordinarily published and shared broadly within the scientific community) with military or dual-use applications the following apply:

(1) The Contractor shall comply with all U. S. export control laws and regulations, including the International Traffic in Arms Regulations (ITAR), 22 CFR Parts 120 through 130, and the Export Administration Regulations (EAR), 15 CFR Parts 730 through 799, in the performance of this contract. In the absence of available license exemptions/exceptions, the Contractor shall be responsible for obtaining the appropriate licenses or other approvals, for obtaining the appropriate licenses or other approvals, if required, for exports of (including deemed exports) hardware, technical data, and software, or for the provision of technical assistance.

(2) The Contractor shall be responsible for obtaining export licenses, if required, before utilizing foreign persons in the performance of this contract, including instances where the work is to be performed on-site at any Government installation (whether in or outside the United States), where the foreign person will have access to export-controlled technologies, including technical data or software.

(3) The Contractor shall be responsible for all regulatory record keeping requirements associated with the use of licenses and license exemptions/exceptions.

(4) The Contractor shall be responsible for ensuring that the provisions of this clause apply to its subcontractors.

8.9. SUBCONTRACTING
Pursuant to Section 8(d) of the Small Business Act (15 U.S.C. 637(d)), it is the policy of the Government to enable small business and small disadvantaged business concerns to be considered fairly as subcontractors to contractors performing work or rendering services as prime contractors or subcontractors under Government contracts, and to assure that prime contractors and subcontractors carry out this policy. Each proposer who submits a contract proposal and includes subcontractors is required to submit a subcontracting plan in accordance with FAR 19.702(a) (1) and (2) should do so with their proposal. The plan format is outlined in FAR 19.704.

8.10. REPORTING
The number and types of reports will be specified in the award document, but will include as a minimum monthly financial status reports. The reports shall be prepared and submitted in accordance with the procedures contained in the award document and mutually agreed on before award. Reports and briefing material will also be required as appropriate to document progress in accomplishing program metrics. A Final Report that summarizes the project and tasks will be required at the conclusion of the performance period for the award, notwithstanding the fact that the research may be continued under a follow-on vehicle. Subject invention and patent reporting will be done via iEdison.

8.10.1. Central Contractor Registration (CCR)
Selected proposers not already registered in the Central Contractor Registry (CCR) will be required to register in CCR prior to any award under this BAA. Information on CCR registration is available at http://www.ccr.gov.

8.10.2. Representations and Certifications
In accordance with FAR 4.1201, prospective proposers shall complete electronic annual representations and certifications at http://orca.bpn.gov.

8.10.3. Wide Area Work Flow (WAWF)
Unless using another approved electronic invoicing system, performers will be required to submit invoices for payment directly via the Internet/WAWF at http://wawf.eb.mil. Registration to WAWF will be required prior to any award under this BAA.

8.10.4. T-FIMS
The award document for each proposal selected and funded will contain a mandatory requirement for four DARPA Quarterly Status Reports each year, one of which will be an annual project summary. These reports will be electronically submitted by each awardee under this BAA via the DARPA Technical – Financial Information Management System (T-FIMS). The T-FIMS URL and instructions will be furnished by the contracting agent upon award.

8.11. Agency Contacts
The preferred method of communication is unclassified email or classified fax.

Administrative, technical or contractual questions should be sent via e-mail to baa08-43@darpa.mil. If e-mail is not available, fax questions to (703) – 807-1762, Attention: BAA08-43. Classified questions should be addressed to the classified fax at (703) – 526-4749/50. All requests must include the name, email address, and phone number of a point of contact.

Points of Contact:

Unclassified fax (703) – 807-1762, electronic mail: baa08-43@darpa.mil.
Classified fax (703) – 526-4749/50, (SIPRNet) baa08-43@darpa.smil.mil

DARPA/STO
ATTN: BAA08-43
3701 North Fairfax Drive
Arlington, VA 22203-1714

9. Other Information

9.1. Proposers’ Day
The National Cyber Range Proposers’ Day will be held May 13-14, 2008. More information can be found at http://www.darpa.mil/sto/solicitations/BAA08-43/index.html

DARPA will provide cleared personnel an opportunity to view the Classified Addendum and Security Classification Guide on May 12th, prior to the NCR Proposers’ Day. Details can be found on the Proposers’ Day Website.
10. Glossary

CDR The Critical Design Review is a multi-disciplined technical review to ensure that the system under review can proceed into full-scale system fabrication, demonstration, and test; and can meet the stated performance requirements within cost (program budget), schedule (program schedule), risk, and other system constraints.
CONOPS The Concept of Operations describes the characteristics for the proposed NCR from the viewpoint of any individual or organization who will operate, use, or interact with the NCR. The CONOPS is used to communicate overall quantitative and qualitative system or situation characteristics to DARPA, as well as the performers assumptions or intent, as well as the overall picture of the NCR operation.
DoD Department of Defense
Enclave A network or subnet under the control and management of a single entity, typically representing an enterprise or organizational network.
FOC Full Operational Capability
GIG The Global Information Grid is the globally interconnected, end-to-end set of information capabilities, associated processes, and personnel for collecting, processing, storing, disseminating and managing information on demand to warfighters, policy makers, and support personnel. (DoD Directive 8100.1, September 19, 2002, Global Information Grid (GIG) Overarching Policy).
LAN Local Area Network
Malware Any offensive software designed to penetrate a system, elevate privileges, and/or execute a payload.
NCR National Cyber Range
Node An originating, terminating, or pass-through device for information; end points (workstation), routing devices, security control, etc.
OpFor (Oppositional Forces) Range personnel tasked as opponents during testing on the NCR. The OpFor may play defensively, offensively, or both, in support of a Test Director’s needs.
Observer/Controller Range personnel tasked to provide administrative control, evaluate task performance, and provide constructive feedback to participants during a test. An individual who is a Subject-Matter Expert (SME) in the domain of the test being conducted.
PDR The Preliminary Design Review is a multi-disciplined technical review of Phase I deliverables to ensure that the system under review can proceed into prototyping, and can meet the stated performance requirements within cost (program budget), schedule (program schedule), risk, and other system constraints.

Recipe A set of instructions that describes the configuration of a node that may include hardware, firmware, metadata, user data, and software (operating system, applications, services, etc). A recipe may be an electronic image of a configured node.
Replicant Sophisticated software that can duplicate human observed behavior on a node or network.
Replication Any means to reproduce a capability – including but not limited to physical duplication, emulation, virtualization, and simulation.
System Under Test (SUT) A program solution that is being tested on a NCR testbed.
Test Any event, exercise, or demonstration proposed to be run on the NCR
TestBed A logically or physically segmented subset of the range infrastructure and resources assigned by the NCR to a particular test. A testbed may include hardware, software, and assigned personnel.
Test Director (TD) The single, definitive executive or manager responsible for all aspects of a test.
Test Organization (TO) The parent organization of the Test Director responsible for all aspects of a test.
Virtual Techniques to run logical abstractions of a physical computer resource.
WAN Wide Area Network
Attachment A: NCR DARPA-BAA-08-43 Classified PACKET REQUEST Form

Date:

Company Name: _____________________________________

Company Address (Unclassified): _____________________________________

_____________________________________

_____________________________________

_____________________________________

Company Address (Classified): _____________________________________

_____________________________________

_____________________________________

_____________________________________

Unclassified Fax: _____________________________________

Point of Contact Name: _____________________________________

POC Phone Number: _____________________________________

POC Fax Number: _____________________________________

POC E-mail: _____________________________________

Company CAGE code: _____________________________________

Security or FSO Phone Number: _____________________________________

Security or FSO Fax Number: _____________________________________

Security or FSO e-mail: _____________________________________

Company Secure Fax number: _____________________________________

17 comments to DARPA National Cyber Range

Leave a Reply

  

  

  


*

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

sharethis_button(); }?>