Procuring and deploying commercial technology for government use is increasingly facilitated by one, relatively new program. The program, known as the CSfC program or Commercial Solutions for Classified Program, is overseen by the National Security Agency (NSA). The NSA’s commercial solutions for classified programs division has created capability packages (CPs).
CSfC capability packages provide essential information about the operational requirements and guidelines for commercial products. The goal is for these standards to provide a global set of criteria to accreditors who must decide whether a solution meets security requirements.
For vendors to achieve the designation, they must undergo a rigorous process of submissions and approvals. Standards are high and the process is thorough. The stated goal of this program is to enable more commercial products to be used as part of layered solutions that protect classified NSS data. Enacting commercial standards for these solutions can cut the time to market or agency down from years to months.
Government agencies-including those from the Department of Defense and Intelligence Community Organizations-use these objective requirements and threshold requirements to select qualifying technological products and solutions.
-- Article Continues Below --
Everything you need to know when it comes to the CSfC process.
CSfC Capability Package Requirements
Building a CSfC approved solution means selecting a capability package and aligning architecture within the guidelines of that CP.
About Capability Packages
CSfC capability packages offer vendor-agnostic requirements for secure solutions. The four types of CPs are:
- Mobile access CP
- Multi-site connectivity CP
- Wireless LAN CP
- Data-at-rest CP
For example, Archon’s GoSilent Server, built with secure, government-certified IPSec VPN software, is an approved mobile access CSfC solution. This means that it aligns with the standards of architecture outlined in the mobile access CP.
Read on for more detail about the CSfC capability packages and the types of products that each CP provides guidelines for.
Mobile Access Capability Package
The mobile access capability package, or MACP, addresses mobile requirements and data in transit. When classified data is being transmitted over external or remote devices, it must maintain a secure connection to a primary network.
The technical requirements are comparable to Type 1 solutions, which had previously been a gold standard for cybersecurity. The CSfC mobile access CP provides a way for direct data transmission over the open internet, cellular, or satellite networks to and from remote endpoints. These solutions may be used in conjunction with data at rest CP.
Multi-Site Connectivity Capability Package
The multi-site connectivity CP refers to data being transmitted over untrusted networks. Classified data may need to be shared between government branches or field offices. When data in transit moves this way, there must be access to multiple connectivity points without an increased risk of interception.
Wireless LAN Capability Package
Wireless LANs are often used for data in transit across a campus-wide network. For Wi-Fi connectivity, on-site solutions may need physical barriers to protect the security of classified data. As with any other CP, all of the components that go into building a secure solution like this must be approved, in addition to the final product.
Data-at-Rest Capability Package
Data at rest, in this context, usually refers to an end-user device that stores classified data. Solutions that protect this data may be used in conjunction with those developed within the CSfC mobile access solution capability package. Data at rest CP protects field-based individuals and the classified communication and data that may be stored on their physical devices.
Taking Advantage of CSfC Trusted Integrators
If you’re daunted by the very prospect of navigating the NSA CSfC Components List, NSA also provides a list of Trusted Integrators - third-party contractors who have met a strict set of criteria. These organizations can help you navigate the CSfC process, offering their assistance and technical expertise along the way.
Trusted Integrators have strong relationships both with the clients they serve and a deep understanding of many components on the CSfC Approved Component List. All trusted integrators are individually vetted by the CSfC PMO prior to inclusion on the list. While it is not required to use a CSfC Trusted Integrator to build your solution, it is highly encouraged by CSfC and will improve your chances of getting a solution registered quickly.
Some of the requirements that Trusted Integrators must meet in order to be included on the list are:
- Management and technical requirements of the International Organization for Standardization (ISO)/International Electro-Technical Commission (IEC)
- National Voluntary Lab Accreditation Program, as per NIST Handbook 150
- ISO9000, Quality Management Systems
- Capability Model Maturity Integration (CMMI)
Find Commercial Solutions for Classified [CSfC]
The NSA has a controlled registration process, compliance checklists and offers client assistance to vendors that want to submit products. To find a product that has met the right criteria, you can view the CSfC components list (to ensure that component parts are NIAP-approved) and check with a manufacturer directly to learn if the product you wish to obtain is an approved CSfC product
Final thoughts
The CSfC Component List is growing and changing constantly, and building a CSfC solution is just the beginning. Keep in mind that you will need to regularly review and refresh your approved solution as technology improves or changes.
Read our full guide on building a CSfC solution to learn how you can embark upon the process, and where you can find resources to make it easier.
