You are here

Secure Computing Autonomous Network (SCAN)


TECHNOLOGY AREA(S): Information Systems

OBJECTIVE: Develop, demonstrate, and field a private distributed platform that can continuously identify, assess, report, and mitigate threats, vulnerabilities, and disruptions to DLA’s network-connected devices.The platform should be scalable with low bandwidth and compute resource requirements.It should also be capable of running asynchronously within isolated environments outside of network connectivity.

DESCRIPTION: DLA requires a cyber-detection platform that comprehensively addresses supply chain security challenges, evolves as new threats emerge, and endures the test of time to provide uninterrupted support to the warfighter.The platform should provide distributed command-and-control of cyber threats, including the ability to rapidly stop effects and restore normal operations.The platform must not harm the underlying network infrastructure or host systems.The platform architecture should be system-agnostic and provide distributed aggregation and storage of all relevant cybersecurity data, allowing for real-time analysis of any network.The platform should passively monitor system data for problem trends and behaviors, and then issue warnings to the operators of more significant systemic faults.The platform should automatically update its risk index to address emerging threats.The platform should classify device-related errors, and have behavior-based or anomaly-based detection of threats that may otherwise go undetected.In all cases, the platform may be required to function under a variety of scenarios within isolated environments that do not support robust learning models.This lack of connectivity to models makes the common approach to cyber detection less effective.An alternative approach is to focus on coupling machine learning (ML) with distributed ledger technologies (DLT) to provide indexed integrity of system interactions.The ability to interface with simulation environments is also of interest.

PHASE I: Not Required.The vendor must demonstrate Proof of Concept via a technical volume not to exceed 20 pages.This volume is included as part of the Phase II Technical volume (Volume 2)FEASIBILITY DOCUMENTATION: Offerors interested in participating in Direct to Phase II must include in their response to this topic Phase I feasibility documentation that substantiates the scientific and technical merit and Phase I feasibility described in Phase I above has been met (i.e. the small business must have performed Phase I-type research and development related to the topic, but from non-SBIR funding sources) and describe the potential commercialization applications.The documentation provided must validate that the proposer has completed development of technology as stated in Phase I above.Documentation should include all relevant information including, but not limited to: technical reports, test data, prototype designs/models, and performance goals/results.Work submitted within the feasibility documentation must have been substantially performed by the offeror and/or the principal investigator (PI).Read and follow all of the DLA SBIR 20.2 Direct to Phase II solicitation Instructions.For a Direct to Phase II topic, the Government expects that the small business would identify the following actions in their Feasibility Documentation:• At a minimum, a workable concept for a Secure Computing Autonomous Network (SCAN) prototype that addresses the basic requirements of the stated objective above. • Develop a distributed platform that can conduct automated scans of various data streams to learn, predict, and mitigate future disturbances, abnormal trends, and problems. • Develop and prove feasibility of a Concept of Operation (CONOP) for the use of the platform.Develop a preliminary design to implement the CONOP. • Address all viable overall platform design options with respective specifications on software modularity, hardware requirements for computational power and capacity, system/sensor agnosticism, and dissemination of information products requested by the user community.

PHASE II: Update the CONOP and develop the detailed design and prototype for the cyber-threat mitigation platform.Detail how the platform enables tactical analysts to detect and mitigate threats and restore operations.Demonstrate all major prototype features in a representative environment.The environment should also include hybrid cloud scenarios where the platform must maintain a shared repository across system enclaves for tactical users to pull and share products, as required.Develop a transition plan that identifies the scope, effort, and resources required to extend the prototype platform to additional analysis methods or data streams; and development of an out-of-network capability for offline threat detection.Deliver a Data Disclosure Package (DDP) that includes at a minimum: form, fit, function, operation, maintenance, installation and training data, procedures and information plus the data necessary or related to overall physical, functional, interface, and performance characteristics; corrections or changes to Government-furnished data or software; and data or software that the Government has previously received unlimited rights to or that is otherwise lawfully available to the Government.

PHASE III: Work with the DLA to implement the platform as described in the Phase II transition plan at a designated DLA lab.Participate in a Preliminary Design Review (PDR) event.Install on a DLA-designated staging environment for system performance testing.Ensure sufficient cybersecurity and software assurance requirements are met in accordance with DFARS Clause 252.204–7012, NIST Special Publication 800–171, NIST Special Publication 800–53, and NIST Special Publication 800–37.All RMF requirements must be met to enable platform deployment on DLA systems.Provide an updated DDP that must include at a minimum: any updates to the Phase II DDP, installation, and maintenance procedures; demonstrated compliance with RMF requirements and qualification testing results; and authority to operate certifications for DLA system use.Prior to fielding, provide onsite training of the platform design, operation, maintenance, and interfaces.Provide documentation and support materials to transfer the platform to DLA SMEs.PHASE III DUAL USE APPLICATIONS: This platform has dual-use commercial or military applications in any complex system that either uses sensors to detect abnormalities or synthesizes multiple unrelated data streams for failure analysis or fault localization of its underlying sub-systems.

KEYWORDS: Anomaly Detection, Behavior-Based Detection, Blockchain, Classification, Computer Network Traffic Analysis, Cryptography, Cybersecurity, Data Analysis, Data Provenance, Decentralized Logging, Logistics Platforms, Machine Learning, Networking, Network Intrusion Detection, Pattern Matching, Supply Chain Risk Management, SCRM, System Of Systems, Zero Trust


1. DoD Enterprise DevSecOps Reference Design, August 2019.–09–26–115824–583 2. It Takes an Average 38 Days to Patch a Vulnerability, Kelly Sheridan, Dark Reading, August 2018.–38-days-to-patch-a-vulnerability/d/d-id/1332638 3. Cyber-security Framework for Multi-Cloud Environment, Taslet Security, September 2018. 4. Zero Trust: Beyond Access Controls, Rob MacDonald, HelpNetSecurity, January 2020.

US Flag An Official Website of the United States Government