TITLE: Unified Logging Architecture for Performance and Cybersecurity Monitoring
ACQUISITION PROGRAM: PEO IWS
5, AN/SQQ-89A(V)15 and related Undersea Warfare AxB Programs Program Office
OBJECTIVE: Develop a unified
logging architecture that supports collection, aggregation, storage, and
analysis of system performance and cybersecurity logs, events, and alerts
produced by Naval Control Systems (NCS).
DESCRIPTION: Naval Control
Systems (NCSs) are comprised of systems of systems divided into enclaves (e.g.,
Hull Mechanical and Electrical, Combat System, etc.). Existing NCS
architectures do not support the aggregation of logs, events, and alerts from
individual system nodes into a centralized repository for storage and analysis
of the performance and cybersecurity status of the entire NCS. Current analysis
of performance and cybersecurity monitoring is typically conducted at the
system or sub-system level, resulting in implementation differences,
incompatibility between monitoring systems, and failure to produce a full view
of the NCS status. Operators and maintainers of NCS need an architecture that
supports collection of all logs, events, and alerts from nodes within the NCS
into a single repository for analysis, monitoring, and alerting. There is
currently nothing available commercially with respect to complex systems of
systems. While there may be some logging capability for more simplistic
systems, these simplistic approaches are not extensible to complex federated
A unified logging architecture will incorporate performance and cybersecurity
monitoring capabilities at the host and network level, based on standards,
guidelines, and best practices documented in the National Institute of
Standards and Technology (NIST) Cybersecurity Framework and Department of the
Navy Chief Information Officer (DONCIO) cybersecurity policy and guidance. At
the node level, the performance monitoring capability will provide telemetry
metrics (e.g., memory usage, central processing unit usage, disk usage, etc.)
while the cybersecurity monitoring capability will provide information relevant
to the cybersecurity status of the node (e.g., logged in users, connected
devices, running processes, network port status, file integrity, etc.). Network
performance and security monitoring will be provided by appropriately located
network taps and/or switch monitoring ports that provide system network traffic
to a network intrusion detection system (NIDS) platform and a network security
monitoring (NSM) platform. This will permit the computer network traffic to be
analyzed and monitored; and alerts generated as needed.
Within the architecture, the node and network-based monitoring capabilities
will send real-time logs, events, and alerts to a centralized data pipeline for
storage and consumption by analytic and reporting tools. The central storage
capability will serve as a distributed streaming platform that provides for
publishing and subscribing to streams of data, storage of data in a
fault-tolerant manner, and processing of streams of data as they occur. The use
of open-source software (OSS) and commercial off-the-shelf (COTS) hardware and
software will provide industry proven capabilities for integration into NCS.
While the COTS/OSS capabilities (e.g., RedHat Linux and servers) are currently
deployed in traditional networks across industry sectors, research and
development to support the selection and integration of the capabilities into
existing and future NCS will be required to fully implement the desired
The architecture should support production and consumption of data streams
through a secure and modular interface by employing open standards such as
Notation (JSON) for data exchange. This architecture will allow for the
addition of new producers and consumers of data streams without perturbing the
underlying logging system. For example, a new sub-system added to the NCS
should be able to include the performance and cybersecurity monitoring
capabilities during installation with the associated events, logs, and alerts
being provided to the centralized storage pipeline for consumption without
requiring modification of the unified logging architecture. Additionally, new
consumers of data streams such as a security incident and event manager (SIEM)
should be able to analyze existing data streams without requiring modification
of the unified logging architecture.
The resulting architecture and data producer capabilities will be operating
system agnostic and will provide centralized aggregation and storage of all
relevant performance and cybersecurity data, allowing for modular analysis of
data streams by analytic and alerting capabilities to provide a unified status
of the entire NCS in real time.
PHASE I: Define and develop a
concept for the architecture and software that enable the unified collection,
production and consumption of log, event, and alert data streams for all
components of the NCS. Ensure that the concept will feasibly address the
requirements discussed in the Description for meeting centralized performance
and cybersecurity monitoring within the NCS. Develop a Phase II plan. The Phase
I Option, if exercised, will include the initial design specifications and
capabilities description to build a prototype solution in Phase II, as well as
determining an appropriate unclassified NCS.
PHASE II: Develop and deliver
a prototype of the architecture and software for unified logging of performance
and cybersecurity related data streams based on the results of Phase I and the
Phase II Statement of Work (SOW). Create a unified logging architecture model
for any Navy-specified NCS that incorporates the key attributes defined in the
Description. Demonstrate that it can meet the parameters described in the
Description to utilize existing Navy-specified system and sub-system components
to provide performance- and cybersecurity-related data streams to a centralized
aggregation and storage framework for consumption by analytic and monitoring
systems to support visibility of full NCS status. Provide a facility for the
initial demonstration with final testing and certification occurring at a
Government-provided facility. Prepare a Phase III development plan to
transition the technology for Navy use.
PHASE III DUAL USE
APPLICATIONS: Assist the Navy in transitioning the demonstrated technologies to
the Navy. The architecture should be suitable for Navy specified NCSs and the
awardee must support associated system engineering activities of NCS Program offices,
with Integrated Warfare Systems (IWS) 5.0 serving as the initial planned
The architecture developed can easily be adapted to non-Navy systems that
require centralized visibility of system of systems performance and
cybersecurity status in complex, critical environments. Centralized logging for
performance and cybersecurity monitoring is of high interest to both the DoD
and private industry in understanding and protecting their networks. Any
industry that uses a complicated network or system of systems architecture such
as healthcare systems (e.g., hospitals, clinics, nursing homes, rehabilitation
units, and patient homes) could use this technology.
1. "Risk Management
Framework (RMF) Overview.” National Institute of Standards and Technology
(NIST), 30 Jan. 2017. http://csrc.nist.gov/groups/SMA/fisma/framework.html
2. “Guide to Computer
Security Log Management.” National Institute of Standards and Technology
(NIST), Sep. 2006. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-92.pdf
3. "Fluentd | Open
Source Data Collector.” Fluentd 2018, 12 January 2018. https://www.fluentd.org/
4. “Apache Kafka.” Apache
Project, 2018. 12 January 2018. https://kafka.apache.org/
5. Mahmood, T. and Afzal, U.
"Security Analytics: Big Data Analytics for cybersecurity: A review of
trends, techniques and tools." 2013 2nd National Conference on Information
Assurance (NCIA), Rawalpindi, 2013, pp. 129-134.
Computer Network Traffic Analysis; Centralized Logging; Network Intrusion
Detection; Naval Control Systems; System of Systems
** TOPIC NOTICE **
These Navy Topics are part of the overall DoD 2019.A STTR BAA. The DoD issued its 2019.1 BAA STTR pre-release on November 28, 2018, which opens to receive proposals on January 8, 2019, and closes February 6, 2019 at 8:00 PM ET.
Between November 28, 2018 and January 7, 2019 you may communicate directly with the Topic Authors (TPOC) to ask technical questions about the topics. During these dates, their contact information is listed above. For reasons of competitive fairness, direct communication between proposers and topic authors is not allowed starting January 8, 2019 when DoD begins accepting proposals for this BAA.
However, until January 23, 2019, proposers may still submit written questions about solicitation topics through the DoD's SBIR/STTR Interactive Topic Information System (SITIS), in which the questioner and respondent remain anonymous and all questions and answers are posted electronically for general viewing until the solicitation closes. All proposers are advised to monitor SITIS during the Open BAA period for questions and answers and other significant information relevant to their SBIR/STTR topics of interest.
Topics Search Engine: Visit the DoD Topic Search Tool at sbir.defensebusiness.org/topics/ to find topics by keyword across all DoD Components participating in this BAA.
Proposal Submission: All SBIR/STTR Proposals must be submitted electronically through the DoD SBIR/STTR Electronic Submission Website, as described in the Proposal Preparation and Submission of Proposal sections of the program Announcement.
Help: If you have general questions about DoD SBIR program, please contact the DoD SBIR Help Desk at 800-348-0787 or via email at firstname.lastname@example.org