Commercial Solutions for Classified: Building Your Outer Tunnel for CSfC's Required Double Tunnel VPN

NSA's CSfC program requires the use of a double tunnel VPN. Here's what to consider when building your outer tunnel VPN.
6 min read

Commercial Solutions for Classified (CSfC) is an NSA initiative that allows users more flexibility in how they handle classified data, while still maintaining high IT security standards. Rather than mandating the use of Type 1 government off-the-shelf (GOTS) equipment, CSfC enables users to construct alternative solutions by assembling a number of commercial off-the-shelf (COTS) products.

To receive NSA approval, CSfC solutions must comply with a stringent set of security requirements. For example, users who want to send and receive mobile data, including voice and video calls, need to encrypt this data using a double VPN tunnel.


But what does a dual, or double, VPN tunnel look like for CSfC solutions, and how can you build one yourself?


In this article, we’ll go over what you need to know about building an outer tunnel for VPNs under the CSfC protocol.


-- Article Continues Below --


New call-to-action

Everything you need to know when it comes to the CSfC process.


Why Build a Double VPN Tunnel?

Type 1 GOTS equipment comes with the guarantee of being NSA-certified and battle-tested. In many cases, however, building a GOTS hardware product from scratch is too slow and expensive to be practical.


More importantly, it has a higher total cost of ownership and far greater degree of management complexity. 


The CSfC program was founded on the idea that commercial off-the-shelf products could serve as an acceptable substitute to government-built equipment, saving NSA money and offering greater technological flexibility.


Building your own double VPN tunnel via CSfC can help you get a working solution up and running faster, along with other benefits such as lower total cost of ownership.


What is the Double VPN Tunnel in CSfC?

As part of the CSfC program, NSA offers several Capability Packages as a starting point for users to implement their own solution. The products, or components, used to build the CSfC solutions must be selected off the CSfC Components List. These components have been certified by NSA’s rigorous NIAP certification along with FIPS when applicable.


The CSfC Multi-Site Connectivity Capability Package describes the need to protect classified data using multiple encrypted tunnels to protect data using a specified set of encryption protocols. 


Using two nested, independent encryption tunnels helps to protect the confidentiality and integrity of data as it moves through an untrusted network. Each of the two tunnels helps protect data flow by using one of two independent encryption protocols:

  • Internet Protocol Security (IPsec) generated by a Virtual Private Network (VPN) Gateway
  • Media Access Control Security (MACsec) generated by a MACsec Device.

The outer tunnel of a dual tunnel VPN refers to the components that terminate the outer layer of encryption.


The Mobile Access Capability Package (MACP) outlines how to protect data using a mobile communication system (e.g. over cellular networks or Wi-Fi). The MACP guidelines are very specific on how to build a mobile access solution for exchanging confidential information.


Implemented correctly, this solution should work both for untrusted networks and for networks consisting of multiple classification levels.

According to the MACP document: “The MA solution uses two nested, independent tunnels to protect the confidentiality and integrity of data (including voice and video) as it transits the untrusted network. The MA solution uses Internet Protocol Security (IPsec) as the outer tunnel and, depending on the solution design, IPsec or Transport Layer Security (TLS) as the inner layer of protection.”


Using a double VPN tunnel provides an extra layer of protection and redundancy for classified data traveling across mobile networks. If a malicious actor manages to hack through the outer tunnel, the data remains secure thanks to the additional encryption provided by the VPN’s inner tunnel.


The double layer of encryption helps to prevent data spillage, a security incident where classified information is exposed to an unauthorized system or individual. This means that CSfC VPN solutions can transport extremely sensitive information, all the way up to TS (Top Secret).


What Does a Double VPN Tunnel for CSfC Require?

We first need to define some terms for the networks that comprise a CSfC mobile access solution:

  • Red network: The “red network” is the part of the network that contains only “red data,” i.e. data that is classified but unencrypted.
  • Gray network: The “gray network” is the part of the network that contains “gray data,” i.e. classified data that has been encrypted once. It sits between the inner and outer VPN tunnels. Both red and gray networks are under the control of the solution owner or a trusted third party.
  • Black network: The “black network” is the part of the network that contains twice-encrypted classified data. Black networks are not necessarily under the solution owner’s control, and may be operated by an untrusted third party.

The components of a CSfC mobile access solution, moving from the edge of the infrastructure to the inner VPN tunnel, are:

  • Outer firewall: The outer firewall sits between the mobile access solution infrastructure and the black network, allowing only incoming IPsec traffic.
  • Outer VPN gateway: The outer VPN gateway is connected to the outer firewall and performs many essential tasks as part of the mobile access solution, including: double encryption of confidential data, authentication, and enforcing network packet handling rules.
  • Gray firewall: The gray firewall sits between the outer VPN gateway and the inner tunnel, filtering packets and EUD traffic.
  • Gray management services: The gray management services are various infrastructure components that are responsible for managing and monitoring the gray network. This includes admin workstations, SIEM (Security Information and Event Management) software, intrusion prevention system (IPS), and authentication servers.
  • Inner encryption components: The inner encryption components consist of one or more inner encryption solutions: inner VPN gateways, inner TLS-protected servers, and/or inner SRTP endpoints.
  • Red management services: Akin to the gray management services, red management services are responsible for managing and monitoring the gray network with tools such as admin workstations, IPS, and SIEM software.

Building an outer tunnel for your CSfC site-to-site connectivity or mobile access solution thus requires two separate components: the outer firewall and the outer VPN gateway. 


In addition, note that the cryptographic libraries used by the outer tunnel must be different from those used by the inner tunnel, in order to provide a sufficiently hardened double encryption layer and proper defense in depth.



Building your own CSfC solution involves careful consideration of many different requirements and issues, and the double VPN tunnel is no exception.


Before you start building an outer VPN tunnel, make sure to do your research and speak with potential vendors or CSfC integrators to find the product that’s right for your situation.


Are you looking for a robust, feature-rich, outer tunnel solution for your CSfC double VPN tunnel? Get in touch with the Archon team.


Archon’s GoSilent Cube is an enterprise-grade firewall and VPN product that has been NSA-certified for use as the outer tunnel component in CSfC mobile access solutions.

New call-to-action

Table Of Contents
Share this article

Get in touch.

Our team of experts has configured hundreds of solutions for organizations throughout the globe. Let us help you make security simple.