TITLE: Quantitative Cybersecurity
Risk Assessment (QCRA)
ACQUISITION PROGRAM: Office
of Naval Research Science & Technology. Division 311.
OBJECTIVE: Develop an
automated tool to determine the levels of cybersecurity risks quantitatively to
enable allocation of cybersecurity solutions in the early design stage such as
Technology Maturation and Risk Reduction (TMRR) phase and reduce the time to
implement cybersecurity requirements.
DESCRIPTION: Cybersecurity is
the prevention of damage to, protection of, and restoration of computers,
electronic communications systems, electronic communications services, wire
communication, and electronic communication, including information contained
therein, to ensure its availability, integrity, authentication,
confidentiality, and nonrepudiation. As Cybersecurity is an emerging concern
worldwide and is one of the focus areas in NAVSEA today, it is critical to
integrate cybersecurity into our products in early design stage to protect our
Naval Control Systems (NCS) such as weapons systems, navigation systems, and
Hull, Mechanical, and Electrical systems. Protecting NCS requires risk
assessment that identifies and prioritizes cybersecurity risks in terms of
cyber threats, mission impact, vulnerability, and cost. A software tool that
encompasses a design for the construction of a complex software system that
continuously maintains confidentiality, integrity, and availability of
information and information structures for NCS is needed in the early design stage.
Cybersecurity threats and vulnerabilities change frequently. As a result,
cybersecurity requirements will also change. Therefore, there is a need for
the software tool to be tailorable.
There are existing processes, tools, and methodologies in various enterprises.
As indicated in References 1, 2 and 3, risks are assessed based on risk factors
such as threat models, probability, vulnerabilities, and impacts. However,
they lack security metrics where the levels of risks are determined
quantitatively and the risk factors vary from one another. Some tools require
detail information of systems, which may not be available when systems are in
the early design stage. The current state of the technology includes algorithms
that automatically categorize and quantify security risks from disclosure of
information. However, the tools are not explicitly for NCS and do not satisfy
the requirements of Department of the Navy (DON) cybersecurity policies, and
The current risk assessments that are widely used by NAVSEA are qualitative
analysis that use a relative scale of “Low, Medium, High” to measure risks in
terms of impact and probability. The qualitative analysis and assessment are
subjective as they depend heavily on knowledge from subject matter experts
(SMEs). However, the current approaches could potentially introduce subjective
assessments that could vary by different SMEs and take time, as it is a manual
process of human-in-the-loop. NAVSEA, therefore, needs a standardized and
automated tool to assess cybersecurity risk quantitatively to avoid subjective
analysis and assessments and reduce design time. The risk factors such as
threats, system vulnerabilities, mission impacts, technical performance,
schedule, and cost need to be considered as a part of risk assessment process.
Success will depend on the verification and validation of the requirements for
each of these factors. The recommended cybersecurity solutions to mitigate
risks should be produced for the systems based on the risk factors and
high-level architecture designs. In addition, the tool should incorporate DON
Cybersecurity requirements and policies and leverage available public sources
such as the National Vulnerability Database (NVD) and the Industrial Control
Systems Cyber Emergency Response Teams (ICS-CERTs) Advisories.
Risk identification and mitigation with appropriate cybersecurity solutions
should be integrated throughout the lifecycle. Given the constraints such as
budgets and schedule, the proposed tool can be used to ensure cybersecurity
solutions, prioritization and cost tradeoffs occur as early as possible in the
acquisition lifecycle. This early design decisions and changes yield reductions
in production costs. This tool can also aid in determining and eliminating potential
threat vectors to future depot capability and workforce safety, thereby
reducing the shipyard operations and maintenance costs. Reductions in
operational costs have an impact on the maintenance schedule, which in turn
results in reduction of planning hours.
The end goal of this proposed tool is to protect afloat systems by allocating
cybersecurity solutions to mitigate cybersecurity risks in the early design
stage during the acquisition lifecycle so that cybersecurity is “built-in”
systems rather than “bolt-on” systems after the systems are already built which
could be more expensive. This can affordably integrate cybersecurity into our
current and future products and reduce cybersecurity costs in the acquisition
lifecycle by 50%. Development and use of this tool throughout the acquisition
process will ensure appropriate accountability for cybersecurity risk
PHASE I: Define a concept of
quantitative cybersecurity risk assessment that accounts for potential threats,
vulnerabilities, mission impacts, costs, and cybersecurity policies. Develop a
concept for an automated tool that determines the levels of cybersecurity risk
quantitatively and provides recommended cybersecurity solutions. Demonstrate
the technical feasibility of the concept by using models of control systems
similar to NCS. The Phase I Option, if awarded, will include the initial design
specifications and capabilities description to build a prototype solution in
Phase II. Develop a Phase II plan. It is essential that a detailed letter of
support for a Phase II proposal is provided to describe to what
algorithm/software will transition and when.
PHASE II: Based on the
results of Phase I and the Phase II Statement of Work (SOW), develop and
deliver a prototype system and validate it with respect to the objective stated
above. Produce prototype software based on Phase I work, and demonstrate the
operations of the prototype using models of high-level ship architectures.
Evaluate the prototype by verifying and validating the requirements. Follow the
U.S. Navy Afloat Control Systems Cybersecurity Classification Guide to classify
the tool appropriately. Provide the prototype to the Government for testing
upon completion of Phase II.
PHASE III DUAL USE
APPLICATIONS: Support the Navy in transitioning the technology to Navy use.
Produce a final product technology that is mature and usable in the context of
its proposed application. NAVSEA will use the product during ship design in
cybersecurity efforts such as Risk Management Framework (RMF) and Navy
Cybersecurity Safety (CYBERSAFE). The technology must meet critical Navy needs
by supporting the cybersecurity effort throughout the entire acquisition
process. The product will be validated, tested, qualified, and certified using
requirements, systems, and In-Service Engineering Agents (ISEAs).
The tool should be tailorable. Therefore, the systems, databases, standards,
specifications, and documents used in the development of the tool can be
tailored for systems other than NCS.
1. Mulligan, M. R. “State
Methods for a Cyber incident.” Naval Postgraduate School Thesis, 2012, page
2. Morgeson, J. D., Brooks,
P. S., Disraelly, D. S, Erb, J. L., Neiman, M. L., Picard, W. C. “Doctrinal
Guidelines for Quantitative Vulnerability Assessments of Infrastructure-Related
Risks Volume I.” http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA558820
3. Shiva, S., Dasgupta, D.,
& Wu, Q. “Game Theoretic Approaches to Protect Cyberspace.” The Office of
Naval Research. http://www.dtic.mil/cgi-bin/GetTRDoc
KEYWORDS: Quantitative Risk
Assessment; Quantitative Cybersecurity Risk Assessment; Risk Mitigation for
Cybersecurity; Naval Control Systems; Early Design Stage of Navy Ships;
Quantitative Risk Metric
** TOPIC NOTICE **
These Navy Topics are part of the overall DoD 2018.1 SBIR BAA. The DoD issued its 2018.1 BAA SBIR pre-release on November 29, 2017, which opens to receive proposals on January 8, 2018, and closes February 7, 2018 at 8:00 PM ET.
Between November 29, 2017 and January 7, 2018 you may talk directly with the Topic Authors (TPOC) to ask technical questions about the topics. During these dates, their contact information is listed above. For reasons of competitive fairness, direct communication between proposers and topic authors is not allowed starting January 8, 2018 when DoD begins accepting proposals for this BAA.
However, until January 24, 2018, proposers may still submit written questions about solicitation topics through the DoD's SBIR/STTR Interactive Topic Information System (SITIS), in which the questioner and respondent remain anonymous and all questions and answers are posted electronically for general viewing until the solicitation closes. All proposers are advised to monitor SITIS during the Open BAA period for questions and answers and other significant information relevant to their SBIR/STTR topics of interest.
Topics Search Engine: Visit the DoD Topic Search Tool at sbir.defensebusiness.org/topics/ to find topics by keyword across all DoD Components participating in this BAA.
Proposal Submission: All SBIR/STTR Proposals must be submitted electronically through the DoD SBIR/STTR Electronic Submission Website, as described in the Proposal Preparation and Submission of Proposal sections of the program Announcement.
Help: If you have general questions about DoD SBIR program, please contact the DoD SBIR Help Desk at 800-348-0787 or via email at email@example.com