Quantitative Cybersecurity Risk Assessment (QCRA)
Navy SBIR 2018.1 - Topic N181-043
NAVSEA - Mr. Dean Putnam - dean.r.putnam@navy.mil
Opens: January 8, 2018 - Closes: February 7, 2018 (8:00 PM ET)


TITLE: Quantitative Cybersecurity Risk Assessment (QCRA)


TECHNOLOGY AREA(S): Information Systems

ACQUISITION PROGRAM: Office of Naval Research Science & Technology.  Division 311.

OBJECTIVE: Develop an automated tool to determine the levels of cybersecurity risks quantitatively to enable allocation of cybersecurity solutions in the early design stage such as Technology Maturation and Risk Reduction (TMRR) phase and reduce the time to implement cybersecurity requirements.

DESCRIPTION: Cybersecurity is the prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. As Cybersecurity is an emerging concern worldwide and is one of the focus areas in NAVSEA today, it is critical to integrate cybersecurity into our products in early design stage to protect our Naval Control Systems (NCS) such as weapons systems, navigation systems, and Hull, Mechanical, and Electrical systems. Protecting NCS requires risk assessment that identifies and prioritizes cybersecurity risks in terms of cyber threats, mission impact, vulnerability, and cost. A software tool that encompasses a design for the construction of a complex software system that continuously maintains confidentiality, integrity, and availability of information and information structures for NCS is needed in the early design stage.  Cybersecurity threats and vulnerabilities change frequently.  As a result, cybersecurity requirements will also change.  Therefore, there is a need for the software tool to be tailorable.

There are existing processes, tools, and methodologies in various enterprises. As indicated in References 1, 2 and 3, risks are assessed based on risk factors such as threat models, probability, vulnerabilities, and impacts.  However, they lack security metrics where the levels of risks are determined quantitatively and the risk factors vary from one another.  Some tools require detail information of systems, which may not be available when systems are in the early design stage. The current state of the technology includes algorithms that automatically categorize and quantify security risks from disclosure of information.  However, the tools are not explicitly for NCS and do not satisfy the requirements of Department of the Navy (DON) cybersecurity policies, and processes.

The current risk assessments that are widely used by NAVSEA are qualitative analysis that use a relative scale of “Low, Medium, High” to measure risks in terms of impact and probability.  The qualitative analysis and assessment are subjective as they depend heavily on knowledge from subject matter experts (SMEs). However, the current approaches could potentially introduce subjective assessments that could vary by different SMEs and take time, as it is a manual process of human-in-the-loop. NAVSEA, therefore, needs a standardized and automated tool to assess cybersecurity risk quantitatively to avoid subjective analysis and assessments and reduce design time. The risk factors such as threats, system vulnerabilities, mission impacts, technical performance, schedule, and cost need to be considered as a part of risk assessment process.  Success will depend on the verification and validation of the requirements for each of these factors.  The recommended cybersecurity solutions to mitigate risks should be produced for the systems based on the risk factors and high-level architecture designs.  In addition, the tool should incorporate DON Cybersecurity requirements and policies and leverage available public sources such as the National Vulnerability Database (NVD) and the Industrial Control Systems Cyber Emergency Response Teams (ICS-CERTs) Advisories.

Risk identification and mitigation with appropriate cybersecurity solutions should be integrated throughout the lifecycle. Given the constraints such as budgets and schedule, the proposed tool can be used to ensure cybersecurity solutions, prioritization and cost tradeoffs occur as early as possible in the acquisition lifecycle. This early design decisions and changes yield reductions in production costs. This tool can also aid in determining and eliminating potential threat vectors to future depot capability and workforce safety, thereby reducing the shipyard operations and maintenance costs. Reductions in operational costs have an impact on the maintenance schedule, which in turn results in reduction of planning hours.

The end goal of this proposed tool is to protect afloat systems by allocating cybersecurity solutions to mitigate cybersecurity risks in the early design stage during the acquisition lifecycle so that cybersecurity is “built-in” systems rather than “bolt-on” systems after the systems are already built which could be more expensive. This can affordably integrate cybersecurity into our current and future products and reduce cybersecurity costs in the acquisition lifecycle by 50%.  Development and use of this tool throughout the acquisition process will ensure appropriate accountability for cybersecurity risk management.

PHASE I: Define a concept of quantitative cybersecurity risk assessment that accounts for potential threats, vulnerabilities, mission impacts, costs, and cybersecurity policies. Develop a concept for an automated tool that determines the levels of cybersecurity risk quantitatively and provides recommended cybersecurity solutions. Demonstrate the technical feasibility of the concept by using models of control systems similar to NCS. The Phase I Option, if awarded, will include the initial design specifications and capabilities description to build a prototype solution in Phase II. Develop a Phase II plan.  It is essential that a detailed letter of support for a Phase II proposal is provided to describe to what algorithm/software will transition and when.

PHASE II: Based on the results of Phase I and the Phase II Statement of Work (SOW), develop and deliver a prototype system and validate it with respect to the objective stated above. Produce prototype software based on Phase I work, and demonstrate the operations of the prototype using models of high-level ship architectures. Evaluate the prototype by verifying and validating the requirements. Follow the U.S. Navy Afloat Control Systems Cybersecurity Classification Guide to classify the tool appropriately. Provide the prototype to the Government for testing upon completion of Phase II.

PHASE III DUAL USE APPLICATIONS: Support the Navy in transitioning the technology to Navy use. Produce a final product technology that is mature and usable in the context of its proposed application.  NAVSEA will use the product during ship design in cybersecurity efforts such as Risk Management Framework (RMF) and Navy Cybersecurity Safety (CYBERSAFE).  The technology must meet critical Navy needs by supporting the cybersecurity effort throughout the entire acquisition process.  The product will be validated, tested, qualified, and certified using requirements, systems, and In-Service Engineering Agents (ISEAs).

The tool should be tailorable.  Therefore, the systems, databases, standards, specifications, and documents used in the development of the tool can be tailored for systems other than NCS.


1. Mulligan, M. R. “State Methods for a Cyber incident.” Naval Postgraduate School Thesis, 2012, page 15.  http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA579645&Location=U2&doc=GetTRDoc.pdf

2. Morgeson, J. D., Brooks, P. S., Disraelly, D. S, Erb, J. L., Neiman, M. L., Picard, W. C. “Doctrinal Guidelines for Quantitative Vulnerability Assessments of Infrastructure-Related Risks Volume I.” http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA558820

3. Shiva, S., Dasgupta, D., & Wu, Q.  “Game Theoretic Approaches to Protect Cyberspace.” The Office of Naval Research.  http://www.dtic.mil/cgi-bin/GetTRDoc Location=U2&doc=GetTRDoc.pdf&AD=ADA519126

KEYWORDS: Quantitative Risk Assessment; Quantitative Cybersecurity Risk Assessment; Risk Mitigation for Cybersecurity; Naval Control Systems; Early Design Stage of Navy Ships; Quantitative Risk Metric


These Navy Topics are part of the overall DoD 2018.1 SBIR BAA. The DoD issued its 2018.1 BAA SBIR pre-release on November 29, 2017, which opens to receive proposals on January 8, 2018, and closes February 7, 2018 at 8:00 PM ET.

Between November 29, 2017 and January 7, 2018 you may talk directly with the Topic Authors (TPOC) to ask technical questions about the topics. During these dates, their contact information is listed above. For reasons of competitive fairness, direct communication between proposers and topic authors is not allowed starting January 8, 2018
when DoD begins accepting proposals for this BAA.
However, until January 24, 2018, proposers may still submit written questions about solicitation topics through the DoD's SBIR/STTR Interactive Topic Information System (SITIS), in which the questioner and respondent remain anonymous and all questions and answers are posted electronically for general viewing until the solicitation closes. All proposers are advised to monitor SITIS during the Open BAA period for questions and answers and other significant information relevant to their SBIR/STTR topics of interest.

Topics Search Engine: Visit the DoD Topic Search Tool at sbir.defensebusiness.org/topics/ to find topics by keyword across all DoD Components participating in this BAA.

Proposal Submission: All SBIR/STTR Proposals must be submitted electronically through the DoD SBIR/STTR Electronic Submission Website, as described in the Proposal Preparation and Submission of Proposal sections of the program Announcement.

Help: If you have general questions about DoD SBIR program, please contact the DoD SBIR Help Desk at 800-348-0787 or via email at sbirhelp@bytecubed.com