Researchers ask industry for information security measures to safeguard legacy software from cyber attacks

April 6, 2023
DARPA CPM seeks analysis tools, hardware, and software to segment legacy software automatically into limited-privilege fine-grained compartments.

ARLINGTON, Va. – U.S. military information security researchers are asking industry to find new ways of hardening large legacy software systems from potential cyber attacks.

Officials of the U.S. Defense Advanced Research Projects Agency (DARPA) released a broad agency announcement on Tuesday (HR001123S0028) for the Compartmentalization and Privilege Management (CPM) project.

DARPA CPM seeks to develop a set of analysis tools, hardware, and software infrastructure automatically to segment large legacy software systems into performant limited-privilege fine-grained compartments that prevent initial penetrations from turning into successful cyber attacks. The project involves automated compartmentalization, privilege enforcement, and evaluation support.

A successful cyber attack typically involves a sequence that moves from initial system penetration to privilege escalation and lateral motion, to a full-scale cyber attack.

Related: U.S. Space Force reaches out to industry for electronic surveillance and communications satellite payloads

An initial penetration seeks to increase the attacker’s privilege level, and then and to enable lateral movement within the compromised system. Ultimately, the attacker’s goal is to use the unauthorized privileged access to locate and exfiltrate sensitive information or to disrupt normal operations.

Traditional defenses against cyber attacks have focused on keeping an attacker out and eliminating exploitable bugs in code. The CPM program focuses instead on blocking privilege escalation and lateral movement -- even if there has been an initial penetration.

CPM technology will provide the capability to restructure a system into one that would prevent such campaigns from moving beyond their initial penetration.

Related: The sensor- and signal-processing challenges of electronic warfare

The first phase of the CPM program will use the open-source Linux operating system as the target for testing and evaluation. The second phase will focus on applying the tools and capabilities to securing applications like web browsers, web servers, database management systems.

CPM is divided into three technical areas: automated compartmentalization; privilege policy enforcement; and evaluation support. A new solicitation for a fourth technical area, DOD system experimentation, is anticipated prior to Phase 2.

Companies interested should upload abstracts no later than 18 April 2023 and full proposals by 6 June 2023 to the DARPA BAA website at

Email questions or concerns to DARPA at [email protected]. More information is online at
About the Author

John Keller | Editor-in-Chief

John Keller is the Editor-in-Chief, Military & Aerospace Electronics Magazine--provides extensive coverage and analysis of enabling electronics and optoelectronic technologies in military, space and commercial aviation applications. John has been a member of the Military & Aerospace Electronics staff since 1989 and chief editor since 1995.

Voice your opinion!

To join the conversation, and become an exclusive member of Military Aerospace, create an account today!