Description:
TECHNOLOGY AREA(S): Information Systems
The technology within this topic is restricted under the International Traffic in Arms Regulation (ITAR), which controls the export and import of defense-related material and services. Offerors must disclose any proposed use of foreign nationals, their country of origin, and what tasks each would accomplish in the statement of work in accordance with section 5.4.c.(8) of the solicitation.
OBJECTIVE: Develop a patch management system capable of providing automated and continuous Information Assurance (IA) patches for fielded, tactical systems, while providing a remote capability for auditing and assessing system vulnerability.
DESCRIPTION: In accordance with the Army Cyber Command Operations Order (OPORD) 2011-051, vulnerabilities are exploitable weakness in software that provide an adversary with an opportunity to compromise the confidentiality, integrity, and/or availability of an Information System (IS). These vulnerabilities are being actively exploited in DoD networks and pose a high risk to Army IS. Consequently, units are being required to expedite efforts to mitigate risks posed by vulnerabilities.
The current operational tempo is such that, IAVAs are network accessible via AKO, on a monthly basis for connected systems. IAVAs are replicated and distributed via CD/DVD on a quarterly basis for systems without network connectivity. In an effort to meet army demands for increased timeliness of IAVA releases, the Army will be required to release IAVAs at an accelerated rate for each system’s state of connectivity.
Historically frequent updates typically require additional resources in terms of engineering (test-fix-test) cycle. This would also effectively increase utilization of additional resources such as replication, installation and distribution services and therefore lifecycle cost. Continuous updates will also increase impacted Field Support Engineers (FSEs), requiring them to install software on a frequent basis for the units in the field.
Current sustainment efforts include an initial scan of the system for identification of IA vulnerabilities. These vulnerabilities are collected over a period of time, mitigated and finally tested. If items do not successfully pass, they must be documented in the Plan of Action & Milestones (POA&M) and mitigated at a later date. Once the system has successfully passed all testing (or POA&M is updated accordingly) all IAVA fixes are packaged into a software release and fielded. While the system is in the field, there is potential that new threats will be identified that leave the system in a vulnerable state. As a result, a patch must again be applied, tested and delivered, no later than 72 hours after notification.
When a physical release of IAVA updates occur, especially on a monthly basis for instance, software sustainment costs increase drastically. Systems must be validated and verified; POAM are required to be updated; test reports must be prepared, software must be shipped more frequently and Field Service Engineering support increases. When occurring at an accelerated rate and deviating from the standard quarterly IAVA release, the demand on available resources also increases.
The below are metrics which estimates cost of monthly IAVMs for a single baseline over a 12 month period:
- Gather IA threats and collect at least monthly; scan, mitigate, test, and deliver an IAVM update monthly; update POAM monthly: $600K
- Develop, test and deliver an emergency IAVM update as required with delivery no longer than 72 hours after notification (two per month): $750K
- Conduct validation and verification scans of the monthly update; prepare and deliver “Results” report: $300K
- Vendor CM, QA, delivery, printing, material, shipping $300K
- SEC CM and Release: $30K
- RDIT distribution of Monthly Releases to FSRs; electronic distribution of Emergency Releases to units: $30K
- Field Service Engineer install and validate installation $3500K
- Total Cost: $5510K
Development of a technical solution which ensures that IAVAs are released on a continuous basis is required, with the capability to identify potential threats and conduct vulnerability assessments in near real-time. The solution should also be capable of providing a complete view of vulnerability and exploit risks, based on threat insights. Frequent IAVA updates to software will be required to mitigate issues and protect Army tactical systems while reducing software sustainment cost.
Supported software resides on multiple domains ranging from unclassified through TS/SCI. There is a need to keep IAVA mitigation at the lowest classification possible to allow for ease of access by system administrators (FSEs & 35Ts) and replication if required. Currently monthly IAVAs are posted to AKO-S, which presents a challenge for disconnected systems which reside on other domains or systems on closed networks that need the updates prior to the distribution on CD/DVD.
A network-only solution will require an instantiation on every possible domain and there will still be a need to remediate systems that require reloading or have been disconnected from a network for a period of time. The connection must create secure electronic software distribution for issue mitigation. The network solution will also be required to possess a secure software tool which allows for remote access across each domain. The intent of the tool is to assist units with quickly resolving technical issues which may arise while updating software. This will assist with reducing FSE manpower while enhancing the user experience for the Warfighter.
PHASE I: Develop a concept which documents a process for developing a patch management system capable of providing automated and continuous Information Assurance (IA) patches for fielded, tactical systems, while providing a remote capability for auditing and assessing system vulnerability.
Provide a detailed design of a solution that provide the capability to identify potential threats and conduct vulnerability assessments in near real-time and mitigate IAVA issues. The solution also shall provide remote IAVA updates to software to Army tactical systems while reducing software sustainment cost. Complete a system design concept and demonstrate through modeling, analysis, or prototype that it meets the requirements. A requirements analysis report and a design study document shall be part of the final report. The final report shall also include estimated cost for development of the capability.
PHASE II: Develop a working prototype augmented reality capability of IAVA Management system for use with Tactical System that is based on the selected Phase I design.
Interface the capability to the Army’s network through the use of a tactical system. Perform evaluation tests of the capability using simulated mission scenarios and validates that the approach identify, mitigate issues and remotely update IAVA patches to Tactical Systems. In addition to delivering the prototype augmented reality capability, a report shall be submitted detailing testing and demonstration results. This report shall identify key performance parameters related to how the augmented reality to mitigate issues and protect Army tactical systems while reducing software sustainment cost.
PHASE III DUAL USE APPLICATIONS: Implement solution as part of a tactical system and deploy the system for test and evaluation using commercially available technologies. The implementation should ensure that the system is interoperable with existing system of systems. Perform steps required to commercialize the system. In conjunction with Army, optimize the prototype created in Phase II. The technology developed should result in a capability that can be used by the Warfighter.
KEYWORDS: IAVA, Cyber Security, Remote Install, FSE, Tactical
