Resilience against Supply Chain Cyber Vulnerabilities

Navy SBIR 25.1- Topic N251-042
Naval Sea Systems Command (NAVSEA)
Pre-release 12/4/24   Opens to accept proposals 1/8/25   Closes 2/5/25 12:00pm ET    [ View Q&A ]

N251-042 TITLE: Resilience against Supply Chain Cyber Vulnerabilities

OUSD (R&E) CRITICAL TECHNOLOGY AREA(S): Advanced Computing and Software

The technology within this topic is restricted under the International Traffic in Arms Regulation (ITAR), 22 CFR Parts 120-130, which controls the export and import of defense-related material and services, including export of sensitive technical data, or the Export Administration Regulation (EAR), 15 CFR Parts 730-774, which controls dual use items. Offerors must disclose any proposed use of foreign nationals (FNs), their country(ies) of origin, the type of visa or work permit possessed, and the statement of work (SOW) tasks intended for accomplishment by the FN(s) in accordance with the Announcement. Offerors are advised foreign nationals proposed to perform on this topic may be restricted due to the technical data under US Export Control Laws.

OBJECTIVE: Develop a technology that ensures computing hardware technologies integrated into future combat systems are trustworthy and cyber secure.

DESCRIPTION: Shipboard computing infrastructure has evolved to over 3,000 Central Processor Unit (CPU) Cores that are distributed across multiple military grade cabinets. The cabinets can be in multiple spaces within a ship to ensure survivability if a set of cabinets are disabled or destroyed. Current CPUs within the cabinets are on Advanced Telecommunications Computing Architecture (ATCA) standard single board computer (i.e., blades).

The distributed nature of shipboard computing poses significant challenges in ensuring security, robustness, trustworthiness, and performance of computing infrastructure. Infrastructure resilience is the ability of a computer infrastructure to adapt, mitigate, and respond to stresses within the Information Technology (IT) environment via the integration of software and applications. The IT system can transform itself to ensure that essential business functions and processes are maintained. In today’s environment, cyber security is managed using a security information and event management (SIEM) embedded within the computing infrastructure (i.e., NIST SP 800-145 Infrastructure as a Service (IaaS)) or application services (e.g., NIST SP 800-145 Platform as a Service (PaaS)).

Computer research in the area of advanced multi-die systems is achieving previously unheard-of levels of performance. Instead of one-size-fits-all monolithic silicon, multi-die systems are comprised of an array of heterogeneous dies (or "chiplets"), optimized for each functional component. Given the increase in performance and evolutionary trend of shipboard computing hardware over the past 30 years, it’s fair to predict that eventually chiplets will find their way onto surface ships to meet evolving surface ship warfighting requirements (e.g., AI/ML, decision support, weapons coordination). While multi-die systems offer new levels of flexibility and achievement in system power and performance, they also introduce a high degree of design complexity and new security challenges.

The Universal Chiplet Interconnect Express (UCIe) standard was introduced in March of 2022 to help standardize die-to-die connectivity in multi-die systems. UCIe can streamline interoperability between dies on different process technologies from various suppliers. But while a UCIe-compliant multi-die system may work great through development, testing, and manufacturing, can the system’s die-to-die connectivity be ensured to continue—robust, secure, and tested— even while it’s operating in the field? Having a mix of suppliers in a supply chain from various countries introduces security challenges within a chiplet-based architecture. Solving these challenges is of utmost importance for stakeholders. A comprehensive, multi-layered approach to address computing infrastructure resilience (CIR) and enhance the overall reliability and efficiency of edge computing environments is sought. There is no current commercial solution to address the approach needed.

A solution needs to protect all surfaces beyond the trusted computing base (e.g., processor chip) as data moves around the system. It must ensure zero trust by always verifying data and sources within the computing infrastructure (attestation). It must also ensure least privilege by software and hardware components only having access to what they need to complete work (access control). This research needs to demonstrate the ability to modify settings and controls to ensure CIR under various conditions.

Work produced in Phase II may become classified. Note: The prospective contractor(s) must be U.S. owned and operated with no foreign influence as defined by 32 U.S.C. § 2004.20 et seq., National Industrial Security Program Executive Agent and Operating Manual, unless acceptable mitigating procedures can and have been implemented and approved by the Defense Counterintelligence and Security Agency (DCSA) formerly Defense Security Service (DSS). The selected contractor must be able to acquire and maintain a secret level facility and Personnel Security Clearances. This will allow contractor personnel to perform on advanced phases of this project as set forth by DCSA and NAVSEA in order to gain access to classified information pertaining to the national defense of the United States and its allies; this will be an inherent requirement. The selected company will be required to safeguard classified material during the advanced phases of this contract IAW the National Industrial Security Program Operating Manual (NISPOM), which can be found at Title 32, Part 2004.20 of the Code of Federal Regulations.

PHASE I: Develop a concept for CIR that meets the requirements stated in the Description. Demonstrate the feasibility of the concept in meeting the Navy’s need through a combination of analysis, modeling, and simulation. The Phase I Option, if exercised, will include initial design specifications and capabilities description to build a prototype solution in Phase II.

PHASE II: Develop and deliver a prototype CIR based upon the results of Phase I. Demonstrate the prototype’s functionality through various cybersecurity use cases that demonstrate that it meets the requirements of the Description.

It is probable that the work under this effort will be classified under Phase II (see Description section for details).

PHASE III DUAL USE APPLICATIONS: Support the Navy in transitioning the technology to Navy use. Provide a final CIR product that includes a set of design patterns, code examples, and compliance tests that provide guidance for CIR compliant implementations. Provide necessary product-level objective quality evidence to support product certification for use.

It is anticipated that this CIR can become a standard industry and DoD computing infrastructure implementation. Commercial cloud environments (e.g., Amazon, Microsoft Azure) can benefit from this CIR as well as computing environments located within industry facilities.

REFERENCES:

1. Loh, Gabriel H. and Swaminathan, Raja. "The Next Era for Chiplet Innovation". 2023 Design, Automation Test in Europe Conference Exhibition, pp. 1-6. DOI: 10.23919 / DATE56975.2023.10137172 https://ieeexplore.ieee.org/document/10137172

2. Abdennadher, Salem. "Testing Inter-Chiplet Communication Interconnects in a Disaggregated SoC Design." 2021 IEEE International Conference on Design Test of Integrated Micro Nano-Systems (DTS), 2021, pp. 1-7. DOI: 10.1109/DTS52014.2021.9498132 https://ieeexplore.ieee.org/document/9498132

3. Sangiovanni-Vincentelli, Alberto et al. "Automated Design of Chiplets." Proceedings of the 2023 International Symposium on Physical Design. ISPD ’23. Virtual Event, USA: Association for Computing Machinery, 2023, pp. 1-8. ISBN: 9781450399784. DOI: 10.1145/3569052.3578917 https://doi.org/10.1145/3569052.3578917.

4. Frazelle, Jessie. "Securing the Boot Process: The hardware root of trust." Queue 17.6, 2019, pp. 5-21. https://queue.acm.org/detail.cfm?id=3382016

5. "National Industrial Security Program Executive Agent and Operating Manual (NISP), 32 U.S.C. § 2004.20 et seq. (1993)." https://www.ecfr.gov/current/title-32/subtitle-B/chapter-XX/part-2004

KEYWORDS: Chiplet Architecture; Universal Chiplet Interconnect Express; UCIe; Infrastructure Resilience; Computing Infrastructure; Zero Trust; Supply Chain

** TOPIC NOTICE **

The Navy Topic above is an "unofficial" copy from the Navy Topics in the DoD 25.1 SBIR BAA. Please see the official DoD Topic website at www.dodsbirsttr.mil/submissions/solicitation-documents/active-solicitations for any updates.

The DoD issued its Navy 25.1 SBIR Topics pre-release on December 4, 2024 which opens to receive proposals on January 8, 2025, and closes February 5, 2025 (12:00pm ET).

Direct Contact with Topic Authors: During the pre-release period (December 4, 2024, through January 7, 2025) proposing firms have an opportunity to directly contact the Technical Point of Contact (TPOC) to ask technical questions about the specific BAA topic. Once DoD begins accepting proposals on January 8, 2025 no further direct contact between proposers and topic authors is allowed unless the Topic Author is responding to a question submitted during the Pre-release period.

DoD On-line Q&A System: After the pre-release period, until January 22, at 12:00 PM ET, proposers may submit written questions through the DoD On-line Topic Q&A at https://www.dodsbirsttr.mil/submissions/login/ by logging in and following instructions. In the Topic Q&A system, the questioner and respondent remain anonymous but all questions and answers are posted for general viewing.

DoD Topics Search Tool: Visit the DoD Topic Search Tool at www.dodsbirsttr.mil/topics-app/ to find topics by keyword across all DoD Components participating in this BAA.

Help: If you have general questions about the DoD SBIR program, please contact the DoD SBIR Help Desk via email at [email protected]

Topic Q & A

1/15/25  Q.
  1. Supply Chain Integration: How do you envision chiplet-based systems integrating into the Navy’s existing supply chain and operational infrastructure? Specifically, are there legacy systems or frameworks that the solution must work with, and how will these systems be managed alongside new multi-die solutions?
  2. Security Considerations: What specific security risks do you foresee in multi-die (chiplet) systems that need to be addressed? Are there existing cybersecurity protocols or standards that must be followed to ensure data integrity and resilience throughout the supply chain?
  3. Zero Trust Architecture: Could you expand on the specific zero-trust principles that should be implemented in the solution? Are there specific controls or tools you’d like to see in place to ensure continuous verification of users, devices, and data sources? Infiltron is highly experienced in implementing zero-trust security architectures and has worked extensively with NIST’s Zero Trust framework and AI-specific guidance to secure distributed systems effectively.
  4. Testing and Validation: What testing methodologies or security frameworks are currently in place for validating the resilience of chiplet-based systems in live environments? Will there be ongoing evaluation of the systems once deployed, and if so, how frequently will updates and patches be rolled out?
  5. Collaboration with Vendors: How will collaboration with supply chain vendors be structured, particularly in the case of multi-die systems? Will there be a focus on securing vendor communications, or will the primary focus be on securing the end-to-end system architecture?
  6. Phase II & Beyond: What expectations does the Navy have regarding scaling the CIR solution beyond Phase II? Will the technology be applicable to other military platforms or even commercial applications, and if so, what additional functionalities would be necessary?
   A. 1. We currently do requirements analysis, and go off and look at computer performance. Once chiplets enter mainstream, we will just get chiplets like we do processers today. All of technology will probably transition to chiplet based architectures.
2. Corruption of data, corruption of information provided to the warfighter (whether that be in the heat of battle or regular operations).
3. There is an executive order that may be of interest: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/. In architecture discussion, ISTIO has been suggested to ensure zero trust among software components. Is there something that should be considered for chiplet technologies?
4. Right now, there are no methodologies or security frameworks in place. We'd want to have ongoing evaluations of the systems once deployed. Frequency varies based on the vulnerability as well as our cyber posture.
5. More securing the end-to-end system architecture. Note that the CHIPS and Science Act (Public Law No: 117-167 (08/09/2022)) may impact vendor choices.
6. Successful Phase II would likely be pursued as a Phase III Transition. As for commercial applications, any supply chain with chiplet technologies implemented would benefit from the technology.


[ Return ]