Information Innovation Office (I2O) Office-Wide

Abstract Template

COVER SHEET

ABSTRACT GUIDELINES: Use of this template is for all abstract submissions. Proposers must include all information in this template to constitute a fully conforming abstract submission.

Page Limit Requirement: Abstracts shall not exceed a maximum of 5 pages. This page limit does NOT include the following:

• Abstract Coversheet

• Table of Contents

• Bibliography (Optional)

• Technical Papers (Optional)

Formatting Requirements: All submissions must be typed in English on 8.5" by 11" pages using 12-point font with 1" margins all around. 8 or 10-point fonts may be used for figures, tables, and charts. Use of diagram(s) or figure(s) to depict the essence of the proposed solution is encouraged. Do NOT include elaborate brochures or marketing materials.

Content Requirements: Content requirements are noted in blue font under each section of the

abstract template. Proposers should delete all content requirements prior to abstract submission.

Submission Requirements: Abstract submissions must be submitted in PDF or Microsoft Word formats. The recommended file naming convention is “Organization Name_I2O OW Abstract.” All proprietary information should be appropriately marked. NOTE: "Confidential" is a classification marking used to control the dissemination of U.S. Government National Security Information as dictated in Executive Order 13526 and should not be used to identify proprietary business information.

UNCLASSIFIED abstracts must be submitted via DARPA’s Broad Agency Announcement Tool (BAAT). Please visit Proposer Instructions and General Terms and Conditions for specific information regarding submission methods through BAAT. Please note, BAAT is a method of secure transmission for CUI documentation. Submissions sent through other mediums, channels, or after the prescribed deadline will not be accepted.

CLASSIFIED abstracts must be submitted in accordance with the requirements, instructions, and procedures contained within the Classified Submissions. Classified submissions must NOT be submitted through the (BAAT) or Grants.gov.

TABLE OF CONTENTS

1. Goals and Impact 3

2. Technical Approach 3

3. Capabilities/Management Plan 3

4. Bibliography 3

# Goals and Impact

[Describe what is being proposed and what difference it will make (qualitatively and quantitatively) if successful. Describe the innovative aspects of the project in the context of existing capabilities and approaches, clearly delineating the relationship of this work to any other projects from the past and present.]

# Technical Approach

[Provide answers to the following questions:

• What is the proposed work attempting to accomplish or do?

• How is the work performed today (what is the state of the art or practice), and what are the limitations?

• What is new in your approach, and why do you think it will be successful?

• How would the DoD testing community implement the proposed approach/work?

• If applicable, what are the plans to deliver resilient software?

Outline and address technical challenges inherent in the approach and possible solutions for overcoming potential problems. Provide appropriate measurable milestones (quantitative if possible) at intermediate stages of the project to demonstrate progress and a plan for achieving the milestones.]

# Capabilities/Management Plan

[Provide a brief summary of the expertise of the team, including subawardees and key personnel. While teaming arrangements do not need to be finalized at the time of abstract submission, mention of potential teaming/collaboration arrangements is highly encouraged. Identify a principal investigator for the project and include a description of the team’s organization, including roles and responsibilities.]

# Cost and Schedule

[Provide a cost estimate for resources (e.g. labor, materials) and any subawardees over the entire program (base + options).]

# Bibliography

[Provide a bibliography with links to relevant papers, references, reports, etc.]

---

CMMS Attachment

Awards resulting from this Broad Agency Announcement (BAA) that take the form of procurement contracts are subject to the Cybersecurity Maturity Model Certification (CMMC) requirements prescribed in 32 CFR Part 170 and DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirements. The Government will designate the required CMMC level (1, 2, or 3) in each resulting contract based on the sensitivity of the information involved—Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

If the PM/SID determines CMMC Level 1 – Basic Safeguarding of FCI, then the following will apply:

CMMC Level 1

a. Applicability:
Applies when the contractor will handle Federal Contract Information (FCI) only.

b. Requirement:
Contractors shall implement the 17 basic safeguarding requirements in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, and maintain practices equivalent to CMMC Level 1.

c. Assessment:
Prior to award, the Offeror shall have a current CMMC Level 1 Self-Assessment recorded in the Supplier Performance Risk System (SPRS) in accordance with DFARS 252.204-7021.

d. CMMC Post-Assessment Remediation: Plan of Actions and Milestones (POA&M)
POA&M is not permitted for CMMC Level 1.

e. Certification Status:
A valid and current Level 1 certification is a condition of award. Offerors that do not possess the required certification at the time of award shall be ineligible for contract award.

f. Flow-Down:
The Contractor shall ensure that any subcontractor processing, storing, or transmitting FCI also maintains a current Level 1 Self-Assessment in SPRS.

g. Verification:
The Contractor shall maintain its Level 1 certification for the full contract period. The Government will verify certification status in SPRS and may request access to assessment results or supporting evidence at any time.

If the PM/SID determines CMMC Level 2 – Broad Protection of CUI, then the following will apply:

CMMC Level 2

a. Applicability:
Applies when the contractor will handle Controlled Unclassified Information (CUI) on non-Federal systems.

b. Requirement:
Contractors shall implement the 110 security requirements in NIST SP 800-171 Rev. 2 and meet the standards for CMMC Level 2.

c. Assessment: (This language will change after 10 November 2026 when a C3PAO level 2 assessment is required)

Self-Assessment: The Offeror shall have a current CMMC Level 2 Self-Assessment posted in SPRS prior to award.

C3PAO Assessment: The Offeror shall hold a current CMMC Level 2 Certification issued by an authorized CMMC Third-Party Assessment Organization (C3PAO) prior to award. (add this statement 10 Nov 2026)

d. CMMC Post-Assessment Remediation: Plan of Actions and Milestones (POA&M)
A POA&M closeout assessment is a CMMC assessment that evaluates only the NOT MET requirements identified in the initial assessment. The closing of a POA&M must be confirmed by a POA&M closeout assessment within 180 days of the Conditional CMMC Status Date. If the POA&M is not successfully closed out within this timeframe, the Conditional CMMC Status for the information system will expire

• Level 2 Self-Assessment: The POA&M closeout self-assessment shall be performed by the OSA in the same manner as the initial self-assessment.

• Level 2 Certification Assessment: The POA&M closeout certification assessment must be performed by an authorized or accredited C3PAO.

e. Certification Status:
A valid and current Level 2 certification is a condition of award. Offerors that do not possess the required certification at the time of award shall be ineligible for contract award.

f. Flow-Down:
The Contractor shall flow this requirement to any subcontractor whose work involves CUI.

g. Maintenance and Verification:
The Contractor shall maintain its Level 2 certification for the full contract period. The Government will verify certification status in SPRS and may request access to assessment results or supporting evidence at any time.

If the PM/SID determines CMMC Level 3 – Higher-Level Protection of CUI Against Advanced Persistent Threats, then the following will apply:

CMMC Level 3

a. Applicability:
Applies when performance involves CUI requiring protection from advanced persistent threats (APT) or when specified by the Government.

b. Requirement:
Contractors shall implement all requirements of NIST SP 800-171 plus the enhanced controls identified in NIST SP 800-172, consistent with CMMC Level 3.

c. Assessment:
Offerors must successfully complete a Government-led CMMC Level 3 Assessment prior to contract award, as defined in DFARS 252.204-7021 and current CMMC implementation guidance.

d. CMMC Post-Assessment Remediation: Plan of Actions and Milestones (POA&M)
A POA&M closeout assessment is a CMMC assessment that evaluates only the NOT MET requirements identified in the initial assessment. The closing of a POA&M must be confirmed by a POA&M closeout assessment within 180 days of the Conditional CMMC Status Date. If the POA&M is not successfully closed out within this timeframe, the Conditional CMMC Status for the information system will expire.

• Level 3 Certification Assessment: The POA&M closeout certification assessment will be performed by DCMA DIBCAC.

e. Certification Status:
A valid and current Level 3 certification is a condition of award. Offerors that do not possess the required certification at the time of award shall be ineligible for contract award.

f. Flow-Down:
The Contractor shall ensure that all subcontractors processing, storing, or transmitting CUI under the contract maintain a Level 3 certification or higher.

g. Maintenance and Verification:
The Contractor shall maintain its Level 3 certification for the full contract period. The Government will verify certification status in SPRS and may request access to assessment results or supporting evidence at any time.

---

Classified Submission Instructions

Classified Submission Requirements, Instructions and Procedures

(applicable to all Proposers)

REQUIREMENTS

Prior to preparing a classified proposal, proposers must have cognizant security agency approved facilities, information systems, appropriately cleared/eligible personnel to perform at the classification level proposed and obtain a solicitation contract security specification (DD form 254) from the DARPA technical office Program Security Officer (PSO) by contacting the BAA Coordinator for this effort at HR001126S0001@darpa.mil .

All proposer personnel performing Information Assurance (IA)/Cybersecurity related duties on classified Information Systems shall meet the requirements set forth in DoD Manual 8570.01-M (Information Assurance Workforce Improvement Program). Additional information on the subjects discussed in this section may be found at http://www.dcsa.mil.

Proposers choosing to submit classified information from other classified sources (i.e., sources other than DARPA) must ensure (1) they have permission from an authorized individual at the cognizant Government agency (e.g., Contracting Officer, Program Manager); (2) the proposal is marked in accordance with the source Security Classification Guide (SCG) from which the material is derived; and (3) the source SCG is submitted along with the proposal. The cognizant agency concurrence and SCG will be included with the classified submission.

CLASSIFIED SUBMISSION INSTRUCTIONS
DARPA will accept hard copy classified submissions and electronic submissions based on the following overarching instructions:

Hard Copy submission: When submitting a hard copy of the classified portion according to the instructions outlined below, proposers should submit three (3) hard copies of the classified portion of their proposal and two (2) CD-ROMs containing the classified portion of the proposal as a single searchable Adobe PDF file. Please ensure that all CDs are well-marked. Each copy of the classified portion must be clearly labeled with Announcement Number, proposer organization, proposal title (short title recommended), and “Copy _ of _.”

Electronic submission: DARPA will accept classified submissions electronically if performers have access to SAVANNAH/ASCEND, JWICS, or SIPERNET, based on the classification level of the proposal. Proposers will engage early with DARPA security at I2Osecurity@darpa.mil to ensure an electronic submission is possible in order to meet submission deadlines. DARPA will not furnish any classified systems specifically for proposal writing.

The following represents further detailed classified submission instructions and procedures based on the level of security classification for hard copy submissions.

# Confidential, Secret, and Top Secret Information

When submitting Confidential, Secret, and/or Top Secret classified information, proposers must use transmission, classification, handling, and marking guidance provided by previously issued SCGs, the DoD Information Security Manual (DoDM 5200.01, Volumes 1 - 4), and the National Industrial Security Program Operating Manual, including the Supplement Revision 1 (DoD 5220.22-M and DoD 5200.22-M Sup. 1).

# Confidential and Secret

Confidential and Secret classified information may be submitted via ONE of the two following methods:

• Hand-carried by an appropriately cleared and authorized courier to the DARPA Classified Document Registry (CDR). Prior to traveling, the courier must contact the DARPA CDR at 703-526-4052 to coordinate arrival and delivery.

OR

• Mailed via United States Postal Service (USPS) Registered Mail or USPS Express Mail. All classified information must be enclosed in opaque inner and outer covers and double-wrapped. The inner envelope must be sealed and plainly marked with the assigned classification and addresses of both sender and addressee. Senders must address the inner and outer envelopes as stated below:

The inner envelope shall be addressed to:

Defense Advanced Research Projects Agency ATTN: DARPA/I2O

Reference: – HR001125S0002

675 North Randolph Street Arlington, VA 22203-2114

The outer envelope shall be sealed with no identification as to the classification of its contents and addressed to:

Defense Advanced Research Projects Agency Security & Intelligence Directorate ATTN: CDR

675 North Randolph Street Arlington, VA 22203-2114

# Top Secret Information

Top Secret information must be hand-carried by an appropriately cleared and authorized courier to the DARPA CDR. Prior to traveling, the courier must notify I2Osecurity@darpa.mil and contact the DARPA CDR at 703-526- 4052 to coordinate arrival and delivery.

# Sensitive Compartmented Information (SCI)

SCI must be marked, managed and transmitted in accordance with DoDM 5105.21 Volume 2. Unclassified questions regarding the transmission of SCI may be sent to the DARPA Technical Office PSO via I2Osecurity@darpa.mil.

# Special Access Program (SAP) Information

SAP information must be marked in accordance with DoDM 5205.07 Volume 4 and transmitted by specifically approved methods which must be approved by the Technical Office PSO via a courier authorization letter.

Proposers choosing to submit SAP information from an agency other than DARPA are required to provide the DARPA Technical Office PSO written permission from the source material’s cognizant Special Access Program Control Officer (SAPCO) or designated representative. For clarification regarding this process, contact the DARPA Technical Office PSO via I2Osecurity@darpa.mil.

Additional SAP security requirements regarding facility accreditations, information security, personnel security, physical security, operations security, test security, classified transportation plans, and program protection planning may be specified in the solicitation DD Form 254.

NOTE: All proposals containing Special Access Program (SAP) information must be processed on a SAP information technology (SAP IT) system that has received an Approval-to-Operate (ATO) from the DARPA Technology Office PSO or other applicable DARPA SAP IT Authorizing Official. The SAP IT system ATO will be based upon the Risk Management Framework (RMF) process outlined in the Joint Special Access Program Implementation Guide (JSIG), current version (or successor document). (Note: A SAP IT system is any SAP IT system that requires an ATO. It can range from a single laptop/tablet up to a local and wide area networks.)

The Department of Defense mandates the use of a component’s SAP enterprise system unless a compelling reason exists to use a non-enterprise system. The DARPA Chief Information Officer (CIO) must approve any performer proposal to acquire, build, and operate a non-enterprise SAP IT system during the awarded period of performance. Use of the DARPA SAP enterprise system, SAVANNAH, does not require CIO approval.

SAP IT disposition procedures must be approved in accordance with the DoD CIO Memorandum of April 20, 2020.

# Combined Classified and Unclassified Submissions Instructions:

For a proposal that includes both classified and unclassified information, the proposal should be separated into two separate documents; one document will represent the unclassified proposal, and the second document will represent the classified proposal.

When submitting a combined classified and unclassified submission, the proposers must send an unclassified email to HR001126S0001@darpa.mil as notification that there is a classified portion to the proposal.

The proposer should include as much information as possible in the unclassified proposal and use the classified proposal ONLY for classified information.

The unclassified proposal must be submitted through the DARPA Broad Agency Announcement Tool (BAAT). Please visit Proposer Instructions and General Terms and Conditions for specific information regarding submission methods through BAAT.

The classified proposal must be submitted separately, in accordance with the Classified Submission Instructions section above. Classified submissions (Executive Summary or Full Proposal) should NOT be submitted through BAAT or Grants.gov.

---

> Download PDF file: HR001126S0001.pdf

---

> Download ZIP file: Model_Contracts_and_Agreements.zip