The Defense Advanced Research Projects Agency (DARPA) Information Innovation Office (I2O) will conduct a briefing in support of the anticipated Broad Agency Announcement (BAA) for the VET – Vetting Commodity IT Software and Firmware program. When released, the BAA will be posted on the Federal Business Opportunities (FBO) website, http://www.fedbizopps.gov, and possibly the Grants.gov website, http://www.grants.gov/. This Proposers’ Day is unclassified.
Attendance at the VET Proposers’ Day is voluntary and is not required to propose to subsequent solicitations (if any) on this topic. The Proposers’ Day does not constitute a formal solicitation for proposals or abstracts. This announcement is issued solely for information and program planning purposes and is not a Request for Information (RFI). Since this is not an RFI, no submissions against this notice will be accepted by the Government. DARPA will not provide reimbursement for costs incurred to participate in this Proposers’ Day. Interested parties to this notice are cautioned that nothing herein obligates the Government to issue a solicitation.
The VET program will seek to demonstrate that it is technically feasible for the Department of Defense (DoD) to determine that the software and firmware shipped on commodity Information Technology (IT) devices is free of broad classes of backdoors and other hidden malicious functionality. Some common examples of commodity IT devices include mobile phones, network routers, printers, and computer workstations. If present, backdoors and other hidden malicious functionality could enable an adversary to use commodity IT devices deployed in the DoD as tools to accomplish a variety of harmful objectives, including the exfiltration of sensitive data and the sabotage of critical operations. The goal of making this determination for every new device in a timely fashion at scale across all of DoD is beyond presently deployed techniques. The VET program will seek to develop and demonstrate new tools and techniques to establish that this goal is technically feasible.
The VET program must overcome three major technical challenges in order to demonstrate that potential deployment scenarios, like the one above, are technically feasible:
(1) Defining malice – Given a sample device, how can DoD analysts produce a prioritized checklist of software and firmware components to examine and broad classes of hidden malicious functionality to rule out?
(2) Confirming the absence of malice – Given a checklist of software and firmware components to examine and broad classes of hidden malicious functionality to rule out, how can DoD analysts demonstrate the absence of those broad classes of hidden malicious functionality?
(3) Examining equipment at scale – Given a means for DoD analysts to demonstrate the absence of broad classes of hidden malicious functionality in sample devices in the lab, how can this procedure scale to non-specialist technicians who must vet every individual new device in DoD before deployment?
DARPA anticipates that the VET program will include multiple Technical Areas (TAs), likely including TAs for research to address the above major technical challenges, a TA to provide these researchers with an Adversarial Challenge, and TAs to conduct competitive Engagements and Integration.
The purpose of the VET Proposers’ Day is:
• to familiarize participants with DARPA’s interest in demonstrating that the software and firmware shipped on commodity Information Technology (IT) devices is free of broad classes of backdoors and other hidden malicious functionality;
• to identify potential proposers and promote understanding of the anticipated VET BAA proposal requirements; and
• to promote discussion of synergistic capabilities among potential program participants.
It is DARPA’s desire to receive comprehensive, quality responses to the anticipated VET BAA. To assist those wanting to form strong, collaborative teaming efforts and business relationships, a teaming website will be established to facilitate formation of teaming arrangements between interested parties. Specific content, communications, networking, and team formation are the sole responsibility of the participants. Neither DARPA nor the DoD endorses the destination website or the information and organizations contained therein. The website address will be provided in the BAA.
Additional information regarding the VET BAA will be available at http://www.darpa.mil/Opportunities/Solicitations/I2O_Solicitations.aspx, following the publication of the BAA on FBO. It is anticipated that the VET BAA will be released by the beginning of December 2012. If a BAA is released, materials presented at the Proposers’ Day, as well as a frequently asked questions (FAQ) document, compiling questions and answers received to date, may be made available at http://www.darpa.mil/Opportunities/Solicitations/I2O_Solicitations.aspx.