DON26BZ03-NV059 TITLE: Real-time Zero Trust Data and Access Control for Combat Systems
OUSW (R&E) CRITICAL TECHNOLOGY AREA(S): Applied Artificial Intelligence (AAI)
COMPONENT TECHNOLOGY PRIORITY AREA(S): Integrated Sensing and Cyber
PROJECTED CMMC LEVEL REQUIREMENT: Level 2 (Self)
The technology within this topic is restricted under the International Traffic in Arms Regulation (ITAR), 22 CFR Parts 120-130, which controls the export and import of defense-related material and services, including export of sensitive technical data, or the Export Administration Regulation (EAR), 15 CFR Parts 730-774, which controls dual use items. Offerors must disclose any proposed use of foreign nationals (FNs), their country(ies) of origin, the type of visa or work permit possessed, and the statement of work (SOW) tasks intended for accomplishment by the FN(s) in accordance with the Announcement. Offerors are advised foreign nationals proposed to perform on this topic may be restricted due to the technical data under US Export Control Laws.
OBJECTIVE: Develop a real-time Zero Trust data access control system for combat systems.
DESCRIPTION: The Navy relies on combat system data for critical decision-making in wartime. This data must be secure to prevent unauthorized access and ensure its integrity. Current security measures are struggling to keep up with evolving threats, making it difficult to guarantee data is only seen by authorized personnel. This vulnerability compromises tactical advantages and risks operational effectiveness. Traditional security approaches are often too slow and inflexible for the dynamic nature of modern naval operations. An answer to this need is not commercially available.
The Navy seeks an adaptive "Zero Trust" data control system. Zero Trust is a security strategy for modern multi-cloud networks. Instead of focusing on the network perimeter, a Zero Trust security model enforces security policies for each individual connection between users, devices, applications and data.
Zero Trust operates on the principle of "never trust, always verify" rather than granting implicit trust to all users inside a network. This granular security approach helps address the cybersecurity risks posed by remote workers, hybrid cloud services, personally-owned devices, and other elements of today’s networks. This goes beyond simply having usernames and passwords. The Navy needs to verify every data access request in near real time, regardless of the user's location or device.
The sought solution requires leveraging both Government and commercial technologies: Advanced Authentication - moving beyond passwords to biometrics, multi-factor authentication, and behavioral analysis; Micro-segmentation - dividing data into smaller highly-controlled compartments to limit the impact of any potential breach (think of it like having separate locked filing cabinets for different types of sensitive information); Artificial Intelligence (AI) and Machine Learning (ML) - detecting anomalous behavior and automatically adapting security measures, which could involve analyzing user access patterns to identify potential threats in real-time; and Blockchain Technology - exploring its potential for secure data logging and access control, ensuring an immutable record of all data transactions.
This Zero Trust system must ensure that only authorized personnel can access sensitive data, regardless of location or device type, which is crucial for maintaining a tactical advantage in future conflicts where information superiority will be paramount. Existing, new, and emerging technologies will be crucial in building this system.
While promising technologies exist, they are not currently integrated or robust enough to meet the Navy's stringent security requirements. The new system must address real-time performance and must ensure access verification suitable for fast-paced combat scenarios. The Navy requires near-instantaneous system access to effectively respond to dynamic and evolving threats.
Furthermore, scalability and integration with complex Navy networks and systems must be ensured, along with system resilience to cyberattacks and the ability to function in degraded environments (i.e., situations where critical infrastructure or communication links may be compromised due to enemy action, natural disasters, or other disruptive events). The solution must develop faster (reduce average authentication time from 15 seconds to 5 seconds) and more efficient authentication methods; implement micro-segmentation techniques to reduce the attack surface by dividing a network into smaller isolated security segments; integrate AI/ML for real-time threat detection and response; and explore and adapt blockchain technology for secure data management. The Navy aims to achieve significant improvements compared to existing systems, including reducing access latency by at least 50%, reducing the risk of unauthorized data access by at least 90%, and streamlining data management processes to reduce administrative overhead by at least 25%.
The developed technology will be evaluated against National Institute of Standards and Technology (NIST) standards for compartmented data control, cybersecurity and data integrity (e.g., NIST SP 800-207, Zero Trust Architecture).
The Navy requires the development and integration of an adaptive "Zero Trust" data control system to secure critical combat data. This system must leverage advanced authentication, micro-segmentation, and AI/ML to provide near real-time, verified access for authorized personnel across any device or location. Key performance requirements include reducing authentication time to under five seconds, decreasing the risk of unauthorized data access by at least 90%, and ensuring the system is scalable, resilient in degraded environments, and compliant with NIST standards.
Work produced in Phase II may become classified. Note: The prospective contractor(s) must be U.S. owned and operated with no foreign influence as defined by 32 U.S.C. § 2004.20 et seq., National Industrial Security Program Executive Agent and Operating Manual, unless acceptable mitigating procedures can and have been implemented and approved by the Defense Counterintelligence and Security Agency (DCSA) formerly Defense Security Service (DSS). The selected contractor must be able to acquire and maintain a secret level facility and Personnel Security Clearances. This will allow contractor personnel to perform on advanced phases of this project as set forth by DCSA and NAVSEA in order to gain access to classified information pertaining to the national defense of the United States and its allies; this will be an inherent requirement. The selected company will be required to safeguard classified material during the advanced phases of this contract IAW the National Industrial Security Program Operating Manual (NISPOM), which can be found at Title 32, Part 2004.20 of the Code of Federal Regulations.
PHASE I: Develop a concept for a real-time Zero Trust data access control system for combat systems, specifically addressing the NIST standards associated with compartmented data control. Demonstrate the feasibility of this concept by providing detailed system architecture, including key technologies, algorithms, and data flow diagrams, which must include modeling and simulation to show the system's potential to meet Navy performance goals in the Description. (Note: If modeling and simulation alone cannot sufficiently demonstrate feasibility for specific aspects of the concept, propose and justify the use of subscale prototypes or surrogate systems, outlining their required characteristics and how they will contribute to a comprehensive feasibility assessment. For example, a subscale prototype might demonstrate the performance of a novel authentication mechanism under simulated network conditions, while a surrogate system could represent a simplified version of a combat system component for integration testing.)
The Phase I Option, if exercised, will include the initial design specifications and capabilities description to build a prototype solution in Phase II.
PHASE II: Develop a prototype of the Zero Trust data access control system for combat systems based on the results of Phase I. Demonstrate the core functionalities of the proposed system, including authentication, authorization, micro-segmentation, and real-time threat detection. Support testing of the prototype in a representative environment mirroring the complexity and data flow of a combat system network and including simulated cyberattacks and operational scenarios to assess the system's resilience and performance under stress. Deliver the prototype to the Navy.
It is probable that the work under this effort will be classified under Phase II (see the Description for details).
PHASE III DUAL USE APPLICATIONS: Support the Navy in transitioning the technology to Navy use. Transition the prototype Zero Trust data access control system into a fully operational capability for Navy use within the Maritime Targeting Cell - Afloat/Expeditionary (MTC-A/X) platform. The final product will be a robust, scalable, and secure system capable of managing and controlling access to sensitive combat system data in real-time, adhering to NIST standards and achieving the performance improvements outlined in previous phases.
The core technology developed under this effort has significant potential for dual-use applications in various commercial sectors. The need to protect sensitive data is not unique to the military. Businesses across numerous industries, including finance, healthcare, and energy, face similar challenges in safeguarding proprietary information and customer data from cyber threats and unauthorized access. The Zero Trust security model developed for the Navy can be adapted to protect sensitive corporate data, such as financial records, intellectual property, and personal health information.
REFERENCES:
KEYWORDS: Zero Trust Architecture; Access Control; Data Integrity; Cybersecurity; Multi-factor Authentication; Micro-segmentation
TPOC 1: Emily Arquesa
(703) 984-0666
[email protected]TPOC 2: John Hudson
(202) 781-3752
[email protected]
** TOPIC NOTICE ** |
The Navy Topic above is an "unofficial" copy from the Navy Topics in the DoW FY-26 Release 3 SBIR BAA. Please see the official DoW Topic website at www.dodsbirsttr.mil/submissions/solicitation-documents/active-solicitations for any updates. The DoW issued its Navy FY-26 Release 3 SBIR Topics pre-release on June 3, 2026 which opens to receive proposals on June 24, 2026, and closes July 22, 2026 (12:00pm ET). Direct Contact with Topic Authors: During the pre-release period (June 3, through June 23, 2026) proposing firms have an opportunity to directly contact the Technical Point of Contact (TPOC) to ask technical questions about the specific BAA topic. The TPOC contact information is listed in each topic description. Once DoW begins accepting proposals on June 24, 2026 no further direct contact between proposers and topic authors is allowed unless the Topic Author is responding to a question submitted during the Pre-release period. DoD On-line Q&A System: After the pre-release period, until July 8, 2026, at 12:00 PM ET, proposers may submit written questions through the DoW On-line Topic Q&A at https://www.dodsbirsttr.mil/submissions/login/ by logging in and following instructions. In the Topic Q&A system, the questioner and respondent remain anonymous but all questions and answers are posted for general viewing.
DoW Topics Search Tool: Visit the DoW Topic Search Tool at www.dodsbirsttr.mil/topics-app/ to find topics by keyword across all DoW Components participating in this BAA.
|