OUSD (R&E) CRITICAL TECHNOLOGY AREA(S): Advanced Computing and Software; Quantum Science OBJECTIVE: Develop a methodology for assessing the impact of adopting Post-Quantum Cryptographic (PQC) algorithms by systems constrained to legacy hardware (hardware not optimized for Quantum computing). Demonstrate effectiveness of the methodology through modeling and simulation. The approach should be able to assess the enterprise network from the cloud to the tactical edge. DESCRIPTION: NOTE: A small business concern may only submit one (1) proposal to each Open Topic. If more than one proposal from a small business concern is received for a single Open Topic, only the most recent proposal to be certified and submitted in DSIP prior to the submission deadline will receive an evaluation. All prior proposals submitted by the small business concern for the same Open Topic will be marked as nonresponsive and will not receive an evaluation. Navy Maintenance Repair and Overhaul (N-MRO) provides a single, enterprise-wide capability for planning, predicting, scheduling, and executing maintenance at the organizational, intermediate, and depot levels across ships, submarines, expeditionary units, and aircraft. Operating globally both ashore and afloat N-MRO supports more than 4,100 platforms and approximately 150,000 users across ~700 Navy sites worldwide. As quantum computing advances, the security of traditional cryptographic methods comes under increasing threat. In response, the National Institute of Standards and Technology (NIST) is standardizing PQC algorithms, and the National Security Agency (NSA) has set timelines for adopting PQC to protect national security systems. However, these algorithms often require larger key sizes and more computational resources, raising important considerations for performance, energy consumption, and hardware constraints. This SBIR Open Topic seeks innovative solutions to evaluate and demonstrate a PQC-enabled environment within contexts like N-MRO. The goal is to explore the performance, management, configuration, training, and policy implications of PQC, especially with regard to legacy hardware. Small business concerns may propose any method to integrate and test NIST-approved PQC algorithms potentially via tools such as dynamically linked libraries or shared objects but are encouraged to remain flexible and consider alternative approaches. A systematic model or simulation of PQC adoption is highly desired to quantify its impact on existing infrastructures. By understanding where performance could be maintained or improved and identifying risks, opportunities, and timing for potential hardware upgrades the Department of the Navy (DON) will be better positioned to transition mission-critical systems like N-MRO to post-quantum cryptography. This proactive exploration ensures that future deployments can meet operational requirements while mitigating quantum-era threats. The following are expected: 1. Define and Develop Drop-In PQC Capabilities Use NIST-approved PQC algorithms to handle key exchange, signature exchange, and secure communications for both data in transit and at rest. Evaluate performance and power consumption to ensure feasibility in networks with strict timing requirements. 2. Establish a Monitoring Framework Identify and track key performance metrics Request Response Time, Page Response Time, and Error Rate before and after PQC adoption. Provide guidelines for continuous performance assessment under operational conditions. 3. Develop a System Model Simulate protocols and methods that replace traditional ( pre-quantum ) encryption with PQC. Demonstrate performance implications and potential trade-offs, informing risk assessments and readiness planning. 4. Implement a Representative Testbed Acquire and configure commodity hardware to deploy PQC algorithms in a controlled environment. Validate functional performance against the modeled predictions delivered in Phase I. Provide procedures for system administrators to manage, configure, and monitor the new PQC capabilities. 5. Refine the Model with Collected Metrics Gather real-world data (Request Response Time, Page Response Time, and Error Rate) to validate and fine-tune the initial model. Determine the operational impact of PQC, including hardware constraints and potential optimization strategies. 6. Assess N-MRO System Impacts Evaluate how selected PQC algorithms affect the Navy Maintenance Repair and Overhaul (N-MRO) family of systems. Use findings to recommend any necessary system or policy changes. 7. Recommend Policy Updates Suggest edits to existing Public Key Infrastructure (PKI) and Public Key Enablement (PKE) guidance (e.g., DoDI 8520.02) based on observed PQC performance and requirements. Work produced in Phase II may become classified. Note: The prospective contractor(s) must be U.S. owned and operated with no foreign influence as defined by 32 U.S.C. 2004.20 et seq., National Industrial Security Program Executive Agent and Operating Manual, unless acceptable mitigating procedures can and have been implemented and approved by the Defense Counterintelligence and Security Agency (DCSA) formerly Defense Security Service (DSS). The selected contractor must be able to acquire and maintain a secret level facility and Personnel Security Clearances. This will allow contractor personnel to perform on advanced phases of this project as set forth by DCSA and NAVWAR in order to gain access to classified information pertaining to the national defense of the United States and its allies; this will be an inherent requirement. The selected company will be required to safeguard classified material during the advanced phases of this contract IAW the National Industrial Security Program Operating Manual (NISPOM), which can be found at Title 32, Part 2004.20 of the Code of Federal Regulations. PHASE I: The DON is planning to issue multiple Phase I awards for this topic but reserves the right to issue no awards. Each Phase I proposal must include a Base and Option period of performance. The Phase I Base must have a period of performance of six (6) months at a cost not to exceed $140,000. The Phase I Option must have a period of performance of six (6) months at a cost not to exceed $100,000. Phase I feasibility will describe the existing proposed technology, existing DON system(s) to improve, modifications required, anticipated improvements to existing capabilities, impacts to current logistics if any (i.e., transportation, storage, maintenance, safety, etc.) and transition approach to the DON system. Results of Phase I will be detailed in a final technical report (Final Report). Phase I deliverables include: - Kick-Off Briefing, due 15 days from start of Base award - Progress Report, due 90 days from start of Base award - Final Report, due 180 days from start of Base award - Quad Chart, due 180 days from start of Base award - Initial Phase II Proposal, due 180 days from start of Base award PHASE II: All Phase I awardees may submit an Initial Phase II proposal for evaluation and selection. The evaluation criteria for Phase II are the same as Phase I (as stated in this BAA). The Phase I Final Report and Initial Phase II Proposal will be used to evaluate the small business concern's potential to adapt commercial products to fill a capability gap, improve performance, or modernize an existing capability for DON and transition the technology to Phase III. Details on the due date, content, and submission requirements of the Initial Phase II Proposal will be provided by the awarding SYSCOM either in the Phase I contract or by subsequent notification. The scope of the Phase II effort will be specific to each project but is generally expected to develop a functional prototype to demonstrate the capability, develop transition plan including production and fielding approach (including updated logistics and safety consideration) and further commercialization (non-DoD). Deliverables include all software, scripts, architecture models, system/software design artifacts, user and transition assessment documentation, and fleet experimentation (FLEX) reports. It is highly likely that the work, prototyping, test, simulation, and validation may become classified in Phase II (see Description for details). However, the proposal for Phase II will be UNCLASSIFIED. PHASE III DUAL USE APPLICATIONS: Support the transition of the developed technology to Navy use. PQC impacts both DON and commercial interests. The developed assessment methodology and monitoring setup would be useful to military and commercial interests alike that have existing, fielded systems running on hardware that is not optimized for PQC and who may desire to avoid full hardware replacement. REFERENCES: Adrian, David. Post-quantum cryptography is too damn big. Blog, March 22, 2024. https://dadrian.io/blog/posts/pqc-signatures-2024/ D'Oliveira, Rafael G. L. et al. Post-Quantum Security for Ultra-Reliable Low-Latency Heterogeneous Networks. IEEE, 13 Aug 2021 (arXiv:2108.06409v1 [cs.IT) https://ieeexplore.ieee.org/document/9653013 Basu, Kanad; Soni, Deepraj; Nabeel, Mohammed and Karri, Ramesh. NIST Post-Quantum Cryptography - A Hardware Evaluation Study. https://eprint.iacr.org/2019/047.pdf Network Security - Post-Quantum Migration Planning and Preparation. https://docs.paloaltonetworks.com/network-security/quantum-security/administration/quantum-security-concepts/post-quantum-migration-planning-and-preparation Office of the DoD Chief Information Officer. DOD INSTRUCTION 8520.02 PUBLIC KEY INFRASTRUCTURE AND PUBLIC KEY ENABLING. May 18, 2023. https://www.esd.whs.mil/portals/54/documents/dd/issuances/dodi/852002p.pdf KEYWORDS: Post-Quantum Cryptography; cybersecurity; Network security; Key Exchange; Encryption; Authentication; Key management; Post-Quantum Encryption; PKI; PKE
