Passive Autonomous Vulnerability Screening of Systems Outside the Accreditation Boundary

OUSD (R&E) CRITICAL TECHNOLOGY AREA(S): Trusted AI and Autonomy; Advanced Computing and Software; Integrated Sensing and Cyber; Emerging Threat Reduction; Microelectronics; Integrated Network Systems-of-Systems The technology within this topic is restricted under the International Traffic in Arms Regulation (ITAR), 22 CFR Parts 120-130, which controls the export and import of defense-related material and services, including export of sensitive technical data, or the Export Administration Regulation (EAR), 15 CFR Parts 730-774, which controls dual use items. Offerors must disclose any proposed use of foreign nationals (FNs), their country(ies) of origin, the type of visa or work permit possessed, and the statement of work (SOW) tasks intended for accomplishment by the FN(s) in accordance with the Announcement. Offerors are advised foreign nationals proposed to perform on this topic may be restricted due to the technical data under US Export Control Laws. OBJECTIVE: Create autonomous tools to passively screen for vulnerabilities on systems outside the Missile Defense Agency's (MDA's) accreditation boundary. DESCRIPTION: The Missile Defense Agency (MDA) has a need to identify externally reachable vulnerabilities in software that is of interest to the military and associated mission sets. Similarly, the MDA needs to illuminate potential externally facing vulnerabilities that are observable through passive cyber reconnaissance techniques within its own networks. Current techniques to address these needs are time-consuming, non-comprehensive, and have limited visibility. A possible alternative approach is through the intersection of automated software fuzzing and code identification with external, automated, passive cyber risk sensing on a global scale. This integration of software fuzzing and risk sensing introduces automation to reduce manual cycles, leverages global-scale datasets to enhance visibility, and generate comprehensive software bill of materials to increase application coverage. PHASE I: Phase I-like proposals will not be evaluated and will be rejected as nonresponsive. For this topic, the Government expects the small business would have accomplished the following in a Phase I-like effort via some other means, e.g., independent research and development (IRAD) or other source, a concept for a workable prototype or design to address, at a minimum, the basic capabilities of the stated objective above. Proposal must show, as appropriate, a demonstrated technical feasibility or nascent capability. The documentation provided must substantiate the proposer's development of a preliminary understanding of the technology to be applied in their Phase II proposal in meeting topic objectives. Documentation should comprise all relevant information including, but not limited to, technical reports, test data, prototype designs/models, and performance goals/results. Feasibility = maturity and what have you already done/validated. Proposers interested in participating in Direct to Phase II must include in their responses to this topic Phase I feasibility documentation that substantiates the scientific and technical merit and Phase I feasibility described in Phase I above has been met. (i.e., the small business must have performed a proof of concept like Phase I component and/or other validation in a relevant environment, and/or at a much higher TRL level (5 or higher) and describe the potential commercialization applications. The documentation provided must validate that the proposer has completed development of technology in previous work or research completed.) IRAD work, previous Phase I/Phase II work: Documentation should include the most relevant information including, but not limited to: technical reports, test data, prototype designs/models, and/or performance goals/results. Work submitted within the feasibility documentation must have been substantially performed by the proposer and/or the principal investigator (PI). PHASE II: Vendors are expected to demonstrate automated passive cyber reconnaissance tools remotely on one or more third party networks outside of MDA's accreditation boundary. Metrics for success are: reach (degree of access to third parties outside of MDA's accreditation boundary), degree of automation, comprehensiveness (effectiveness across vulnerability types), reliability (false positives/false negatives), non-attribution (degree of passivity), and usability (degree to which tools can be operated by humans and incorporated into existing ecosystems. PHASE III DUAL USE APPLICATIONS: The same needs of MDA are prevalent across the DoD and Commercial Enterprise sector. REFERENCES: 1. Mission Assurance Cyber Tools (JFAC.apps.dos.mil/tools) 2. Common Vulnerability Enumeration Data Base (CVE.Mitre.org) KEYWORDS: Autonomous; Autonomy; Vulnerability; Vulnerabilities; Accreditation