As part of its Commercial Solutions for Classified (CSfC) program, NSA offers several Capability Packages as a starting point for users to reference when implementing their own solutions. Think of them as pre-approved "blueprints" for architecting a CSfC solution, or a solution that needs to be used in a National Security System.
The products, or components, which are used in the Capability Packages and, ultimately, to build CSfC solutions, must be selected off the NSA CSfC Components List, and can be used to build a layered solution containing multiple components.
The products on the Components List have all been certified to meet the highest levels of security, by NSA's rigorous National Information Assurance Partnership (NIAP) certification along with Federal Information Processing Standards (FIPS), when applicable, meaning that they are built in accordance with the US Government's stringent cybersecurity requirements.
The CSfC Capability Packages (CPs) are reviewed, updated, and re-published by the NSA CSfC Program Management Office (CSfC PMO) for use on a regular basis.
-- Article Continues Below --
What are the Commercial Solutions for Classified or CSfC capability packages?
CPs are a part of the CSfC program that provides vendor-agnostic requirements for the implementation and configuration of a secure solution within a certain architectural area.
There are currently four CPs:
- Mobile Access CSfC Capability Package : Describes how an organization can build a solution that allows remote endpoints to communicate back to the highly-protected primary network over unclassified networks or the open internet without risking the security of classified information.
IPsec VPN Client
A VPN Client is software that is installed on endpoint devices allowing them to send encrypted data or traffic to and from a central network.
IPsec VPN Gateway
A VPN Gateway is used to send encrypted data or traffic between two remote devices or networks.
Read the full NIAP protection profile for VPN clients. You can also view the list of CSfC Certified IPsec VPN Gateways on the CSfC website.
MACSEC Ethernet Encryption Devices
MACSEC ethernet encryption devices allow for Ethernet data or traffic to be securely transmitted between two ethernet-connected endpoints.
Read the full NIAP protection profile for MACSEC encryption devices. You can also view the list of CSfC Certified MACSEC Ethernet Encryption Devices on the CSfC website.
Mobile Device Management
Mobile Device Management (MDM) systems are used to control the administration and access of third-party mobile devices like smartphones, tablets, and laptops.
Session Border Controller
Session border controllers are used to protect VoIP-based communication and data between endpoint devices or networks.
Read the full NIAP protection profile for session border controllers. You can also view the list of CSfC Certified Session Border Controllers on the CSfC website.
Enterprise Session Controller
Enterprise session controllers are simply session border controllers packaged as part of a larger scale unified communications or contact center solution.
Read the full NIAP protection profile for enterprise session controllers. You can also view the list of CSfC Certified Enterprise Session Controllers on the CSfC website.
Software Full Drive Encryption
Software disk encryption solutions use software methods instead of hardware-based methods for full hard disk encryption and data protection.
Read the full NIAP protection profile for software disk encryption solutions. You can also view the list of CSfC Certified Software Full Drive Encryption Solutions on the CSfC website.
TLS Protected Servers
TLS protected servers use Transportation Layer Security (TLS) protocol to secure all communications to and from the server.
Read the full NIAP protection profile for TLS protected servers. You can also view the list of CSfC Certified TLS Protected Servers on the CSfC website.
TLS Software Applications
TLS software applications use Transportation Layer Security (TLS) protocol to secure all communications to and from the application.
Read the full NIAP protection profile for TLS protected applications. You can also view the list of CSfC Certified TLS Software Applications on the CSfC website.
Traffic Filtering Firewall
Traffic filtering firewalls are firewalls that allow you to filter out very specific types of traffic
Read the full NIAP protection profile for traffic filtering firewalls. You can also view the list of CSfC Certified Traffic Filtering Firewalls on the CSfC website.
VoIP applications are meant to control and direct VoIP traffic.
Web browsers are installed on end-user devices and used to connect and browse the internet.
WLAN Access System
WLAN access systems control the access of users to a WLAN network .
Read the full NIAP protection profile for WLAN access systems. You can also view the list of CSfC Certified WLAN Access Systems on the CSfC website.
WLAN clients are installed on end-user devices that need access to the WLAN network .
Protection Profiles in Development
It can take anywhere from 6 to 7 months for new Protection Profiles to be built and released.
Creating and releasing a new profile is approached in four phases, with the entire process totaling between 4 and 5 months to complete:
- Initiation: In this phase, essential security requirements for the profile are being developed. This phase typically takes about one month to complete.
- Planning: In this phase, the technical community is involved in planning the necessary requirements for the profile. This phase typically takes about one month to complete.
- Development: In this phase, NIAP works to fully define threats, security requirements, and assurance activities for the profile. This phase typically takes 3 to 4 months to complete.
- Publishing: In this phase, public approval is obtained and the profile is officially released via the NIAP website. This phase typically takes one month to complete.
As of this writing, the current protection profiles under development include:
- Endpoint Detection and Response
- Host Agent
- Wireless Intrusion Detection/Prevention Systems (WIDS/WIPS)
- Voice and Video over IP (VVoIP)
Archived components list
As updates happen, products on the CSfC Component List may lose their certification. Vendors also may choose not to renew certifications when their renewal period expires. For this reason, CSfC maintains an Archived Components List .
If you have a solution that includes any component that is moved to the Archived Component List, you'll have two years to transition from that component to a new solution that is currently approved.
Taking Advantage of CSfC Trusted Integrators
If you’re daunted by the very prospect of navigating the CSfC Components List, NSA also provides a list of Trusted Integrators - third-party contractors who have met a strict set of criteria. These organizations can help you navigate the CSfC process, offering their assistance and technical expertise along the way.
Trusted Integrators have strong relationships both with the clients they serve and a deep understanding of many components on the CSfC Approved Component List. All trusted integrators are individually vetted by the CSfC PMO prior to inclusion on the list. While it is not required to use a CSfC Trusted Integrator to build your solution, it is highly encouraged by CSfC and will improve your chances of getting a solution registered quickly.
Some of the requirements that Trusted Integrators must meet in order to be included on the list are:
- Management and technical requirements of the International Organization for Standardization (ISO)/International Electro-Technical Commission (IEC)
- National Voluntary Lab Accreditation Program, as per NIST Handbook 150
- ISO9000, Quality Management Systems
- Capability Model Maturity Integration (CMMI)
The CSfC Component List is growing and changing constantly, and building a CSfC solution is just the beginning. Keep in mind that you will need to regularly review and refresh your approved solution as technology improves or changes.