What are the Opportunities Available to Obtain Federal Research Funding Douglas Maughan Division Director, Cyber Security Division Homeland Security Advanced Research Projects Agency (HSARPA) Science and Technology (S&T) Directorate Department of Homeland Security (DHS)

Obtaining Federal Research Funding Understanding the Landscape Contracting Small Business Programs Larger R&D Solicitations Summary / Q&A

Comprehensive National Cybersecurity Initiative (CNCI) Establish a front line of defense Reduce the Number of Trusted Internet Connections Deploy Passive Sensors Across Federal Systems Pursue Deployment of Automated Defense Systems Coordinate and Redirect R&D Efforts Resolve to secure cyberspace / set conditions for long-term success Connect Current Centers to Enhance Situational Awareness Develop Gov’t-wide Counterintelligence Plan for Cyber Increase Security of the Classified Networks Expand Education Shape future environment / secure U.S. advantage / address new threats Define and Develop Enduring Leap Ahead Technologies, Strategies & Programs Define and Develop Enduring Deterrence Strategies & Programs Manage Global Supply Chain Risk Cyber Security in Critical Infrastructure Domains http://cybersecurity.whitehouse.gov 4 4

Federal Cybersecurity Research and Development Program: Strategic Plan

Federal Cybersecurity R&D Strategic Plan Research Themes Tailored Trustworthy Spaces Moving Target Defense Cyber Economics and Incentives Designed-In Security (New for FY12) Science of Cyber Security Transition to Practice Technology Discovery Test & Evaluation / Experimental Deployment Transition / Adoption / Commercialization Support for National Priorities Health IT, Smart Grid, NSTIC (Trusted Identity), NICE (Education), Financial Services Released Dec 6, 2011 http://www.whitehouse.gov/blog/2011/12/06/federal-cybersecurity-rd-strategic-plan-released

Federal Cybersecurity Research Community Agency / Org Research Agenda Researchers Customers / Consumers National Science Foundation (NSF) Broad range of cyber security topics; Several academic centers Academics and Non-Profits Basic Research - No specific customers Defense Advanced Research Projects Agency (DARPA) Mostly classified; unclassified topics are focused on MANET solutions Few academics; large system integrators; research and government labs Mostly DOD; most solutions are GOTS, not COTS National Security Agency (NSA) SELinux; Networking theory; CAEIAE centers Mostly in-house Intelligence community; some NSA internal; some open source Intelligence Advanced Research Projects Agency (IARPA) Accountable Information Flow (AIF); Large Scale System Defense (LSSD); Privacy Protection Technologies (PPT) Mostly research labs, system integrators, and national labs; Some academics Intelligence community Department of Homeland Security (DHS) S&T All unclassified; Secure Internet Protocols; Process Control Systems (PCS), Emerging Threats, Insider Threat, Cyber Forensics; Open Security Technologies, Next Generation Technologies Blend of academics, research and government labs, non-profits, private sector and small business DHS Components (including NPPD, NCSC, USCG, FLETC and USSS); CI/KR Sectors; USG and Internet

How to increase your success rate Understand your client Federal agencies have distinctly different characters Different missions Different processes Federal agencies are not charities Money is appropriated to them for specific purposes You will be more successful if you can explain why your proposed R&D supports their mission

Federal R&D Process Planning Solicitation Contract Execution Identify requirements Develop program plan and allocate resources Communicate plans and priorities to technical community Planning Solicitation Posting Solicitations Solicitation Process – White Papers Submitting proposals Contract Different programs demand different contract vehicles Flexibility used to match mission Programs tailored to meet unique conditions of objectives Active interaction with performers Execution

Federal R&D Programs A program is led by a Program Manager(PM) A program will have: Specific Technology Objectives aligned with customer needs; some will have a significant operational impact Plan to move from current level of technical maturity to a higher level (e.g., For DOD it’s TRLs – Technology Readiness Levels) A technical approach indicating how the objectives will be achieved A program structure indicating how the PM has deployed resources (time, money, executors) to achieve the objectives Deliverables Transition Strategy/Technology Development Path

Mechanics of Proposing R&D Find agencies with closest mission match Identify R&D element(s) within the agencies Look for existing R&D solicitations (Money already exists for these efforts!) Do your homework (LOOK AT PREVIOUS SOLICITATIONS, read websites, workshop results, and any presentations on your target program solicitation) Respond to solicitation carefully – meet all administrative requirements and make sure your R&D matches the stated program needs If no solicitation, contact R&D PM. Explain relevance to his/her mission. Be patient. Be persistent.

Contracting Vehicles The Government has a range of contracting vehicles to match programmatic needs and contractor character. Grants Contracts Cooperative agreements Other Transactions for Research or Prototypes Allows government to deal with non-traditional contractors who have desirable technologies, but do not want to keep “Government books” Must comply with “generally acceptable accounting principles”

Team approach (technical & business) Cost Realism / Price Analysis R&D Proposals Team approach (technical & business) Consider hiring government contracting specialist Cost Realism / Price Analysis Past Performance Contract Types for R&D Sticking Point: Financial Audit If you’ve never had a government contract, consider talking with DCAA sooner rather than later. DCAA = Defense Contract Audit Agency

Helpful Contracting Websites http://www.dcaa.mil/dcaap7641.90.pdf http://www.sba.gov/services/contractingopportunities http://farsite.hill.af.mil http://acquisition.gov/far/index.html

Programs for U. S. Small Business Small Business Innovation Research (SBIR) Set-aside program for small business concerns to engage in federal R&D -- with potential for commercialization Small Business Technology Transfer (STTR) Set-aside program to facilitate cooperative R&D between small business concerns and research institutions -- with potential for commercialization 2.5% .3%

SBIR - A 3 Phase Program PHASE I PHASE II PHASE III Feasibility Study $100K (in general) and 6 month effort (amounts are changing) PHASE II Full Research/R&D $750K and 24 month effort (amounts are changing) Commercialization plan required PHASE III Commercialization Stage Use of non-SBIR Funds

Which Government Agencies? Both SBIR/STTR Defense Health & Human Services NASA DOE NSF SBIR only DHS DOA DOC ED EPA DOT NIH

Agency SBIR Differences Number and timing of solicitations R&D Topic Areas – Broad vs. Focused Dollar Amount of Award (Phase I and II) Proposal preparation instructions Financial details (e.g., Indirect Cost Rates) Proposal review process Proposal success rates Types of award Commercialization assistance And more…………

Agency Differences ALWAYS CHECK WITH AGENCIES

Added Bonus - Cost Match Allows small businesses to seek additional funding for Phase II projects from non-SBIR sources Minimum of $100,000 to maximum of $500,000 of outside funding Matched by DHS SBIR up to $250,000 in a 1:2 ratio Additional funds require additional scope – need to either add R&D on SBIR contract or other development and commercialization activities (or some of both) Cost match is a motivator for, and an indicator of, commercial potential

DHS SBIR Phase I Data from 14 Competitions through FY10.2* HI 17/3 OR 22/5 WA 51/12 AK 3/1 CA 535/104 NV 17/1 ID 8/0 MT 9/2 ND 1/0 SD 2/0 NE 7/1 KS 6/1 WY UT 28/7 CO 68/10 AZ 46/10 NM 42/7 TX 140/23 OK 10/3 MN 41/7 WI 13/2 IA 4/0 MO 19/2 AR 3/0 LA MI 70/9 IL 49/6 IN 35/3 OH 49/1 PA 63/8 KY 10/1 TN 19/1 VA 239/35 NC 32/5 SC 8/1 GA 39/3 FL 93/11 AL 48/7 MS 5/0 WV 10/1 NY 101/28 ME 11/0 NH 25/6 VT 10/1 RI 7/1 CT 47/8 NJ 69/6 DE 9/0 MD 169/23 PR 3/0 DC 6/0 MA 269/55 Total Phase I Submissions/Awards 2,608/423 * Includes STTR data

Small Business Innovative Research (SBIR) Important program for creating new innovation and accelerating transition into the marketplace Since 2004, DHS S&T Cyber Security has had: 63 Phase I efforts 28 Phase II efforts 5 Phase II efforts currently in progress 9 commercial/open source products available Four acquisitions Komoku, Inc. (MD) acquired by Microsoft in March 2008 Endeavor Systems (VA) acquired by McAfee in January 2009 Solidcore (CA) acquired by McAfee in June 2009 HBGary (CA) acquired by ManTech in February 2012

Useful Web Sites and DHS S&T Directorate SBIR Point of Contact https://sbir.dhs.gov www.baa.st.dhs.gov www.dhs.gov www.dhs.gov/xopnbiz/ www.fedbizopps.gov www.sbir.gov Elissa (Lisa) Sobolewski DHS SBIR Program Director elissa.sobolewski@dhs.gov (202) 254-6768 S&T SBIR Program Email: STSBIR.PROGRAM@dhs.gov

Broad Agency Announcement (BAA) https://baa2.st.dhs.gov Delivers both near-term and medium-term solutions To develop new and enhanced technologies for the detection of, prevention of, and response to cyber attacks on the nation’s critical information infrastructure, based on customer requirements To perform research and development (R&D) aimed at improving the security of existing deployed technologies and to ensure the security of new emerging cybersecurity systems; To facilitate the transfer of these technologies into operational environments. Proposals Received According to 3 Levels of Technology Maturity Type I (New Technologies) Applied Research Phase Development Phase Demo in Op Environ. Funding ≤ $3M & 36 mos. Type II (Prototype Technologies) More Mature Prototypes Development Phase Demo in Op Environ. Funding ≤ $2M & 24 mos. Type III (Mature Technologies) Mature Technology Demo Only in Op Environ. Funding ≤ $750K & 12 mos. Note: Technology Demonstrations = Test, Evaluation, and Pilot deployment in DHS “customer” environments

BAA 11-02 Technical Topic Areas (TTAs) Software Assurance DHS, FSSCC TTA-2 Enterprise-Level Security Metrics TTA-3 Usable Security TTA-4 Insider Threat TTA-5 Resilient Systems and Networks TTA-6 Modeling of Internet Attacks DHS TTA-7 Network Mapping and Measurement TTA-8 Incident Response Communities TTA-9 Cyber Economics CNCI TTA-10 Digital Provenance TTA-11 Hardware-Enabled Trust TTA-12 Moving Target Defense TTA-13 Nature-Inspired Cyber Health TTA-14 Software Assurance MarketPlace (SWAMP) S&T 1003 White Papers 224 Full Proposals encouraged Expected awards in Aug 2012

DHS S&T Long Range Broad Agency Announcement (LRBAA) 12-07 S&T seeks R&D projects for revolutionary, evolving, and maturing technologies that demonstrate the potential for significant improvement in homeland security missions and operations Offerors can submit a pre-submission inquiry prior to White Paper submission that is reviewed by an S&T Program Manager CSD has 14 Topic Areas (CSD.01 – CSD.14) – SEE NEXT SLIDE LRBAA 12-07 Closes on 12/31/12 at 11:59 PM S&T BAA Website: https://baa2.st.dhs.gov Additional information can be found on the Federal Business Opportunities website (www.fbo.gov) (Solicitation #:DHSS-TLRBAA12-07)

LRBAA Summary Listing CSD.09 – Cyber security competitions and education and curriculum development. CSD.10 – Process Control Systems and Critical Infrastructure Security CSD.11 – Internet Measurement and Attack Modeling CSD.12 – Securing the mobile workforce CSD.13 - Security in cloud based systems CSD.14 – Experiments – Technologies developed through federally funded research requiring test and evaluation in experimental operational environments to facilitate transition. CSD.01 – Comprehensive National Cybersecurity Initiative and Federal R&D Strategic Plan topics CSD.02 – Internet Infrastructure Security CSD.03 – National Research Infrastructure CSD.04 –Homeland Open Security Technology CSD.05 – Forensics support to law enforcement CSD.06 – Identity Management CSD.07 – Data Privacy and Information Flow technologies CSD.08 – Software Assurance

A Roadmap for Cybersecurity Research http://www.cyber.st.dhs.gov Scalable Trustworthy Systems Enterprise Level Metrics System Evaluation Lifecycle Combatting Insider Threats Combatting Malware and Botnets Global-Scale Identity Management Survivability of Time-Critical Systems Situational Understanding and Attack Attribution Information Provenance Privacy-Aware Security Usable Security

Summary Learn about the agencies, their missions, and meet the Program Managers Build your team to deliver – consider including contracting personnel Understand the opportunities – SBIR, STTR, BAA, CNCI R&D, RFP (not discussed in this presentation)

For more information, visit http://www.cyber.st.dhs.gov Douglas Maughan, Ph.D. Division Director Cyber Security Division Homeland Security Advanced Research Projects Agency (HSARPA) douglas.maughan@dhs.gov 202-254-6145 / 202-360-3170 For more information, visit http://www.cyber.st.dhs.gov