The Data at Rest Capability Package was developed as part of the Commercial Solutions for Classified (CSfC) Program and is meant to help those working to implement a solution that will protect classified data stored on end-user devices.
The package typically applies to organizations that handle classified data and that are working on a solution that ultimately leaves some number of their devices outside of their control. It is commonly combined with a CSfC mobile access solution.
The goal of building a solution that combines mobile access with data at rest is to allow for individuals in the field to work as securely as they would from within an office, connected to the secure network, while still keeping any data stored on their devices safe.
-- Article Continues Below --
How to use the CSfC Data at Rest Capability Package
The CSfC program was created to provide solutions that transmit classified data using simpler or less expensive methods than typical Type 1 communications equipment.
The CSfC program is an initiative launched by the NSA that allows U.S. government agencies to use commercial off-the-shelf (COTS) solutions verified and approved to meet national security standards (NSS).
Utilizing a well-established cybersecurity concept, “defense in depth” (DiD), the CSfC program encourages layering multiple off-the-shelf IT security solutions on top of each other. Why? The risk that all of these solutions will fail is much lower than when using a single solution.
The CSfC program allows organizations to build solutions combining multiple commercial products that have been verified and pre-approved for handling classified data. All parts listed in the Commercial Solutions for Classified (CSfC) Components List must first go through the NIAP certification process to prove sufficient security levels.
This process and inclusion on the CSfC Components List allow organizations to be certain that the commercial parts they are using will provide enough security to protect the classified information they transmit.
How to Build a Solution
Proper implementation of CSfC requires multiple components from different vendors, in which each part within your final product will need to be CSfC approved.
To simplify the process, NSA provides Capability Packages, which are essentially reference architectures to be used as a starting point for building CSfC solutions. Using a Capability Package makes achieving it much easier and greatly increases the odds that your final CSfC solution will receive NSA certification.
The Data at Rest Capability Package provides system-level solutions frameworks for the security requirements and configuration information that allow you to select parts from the Commercial Solutions for Classified (CSfC) Components List to be assured your product will have sufficient protection for classified data stored on an end-user device.
The Data at Rest Capability Package requirements ensure that your final solution properly uses Commercial National Security (CNSA) Suite encryption. These particular algorithms meet NSA's standards for protecting sensitive information and will be used at different levels of your COTS products.
Most importantly, you must use two independent layers of encryption to protect information stored on the end-user device -- typically a combination of hardware and software-based encryption. This helps to mitigate the risk of unauthorized access to any classified information that might be stored on those devices.
The capability package also details the required methods of authentication to access the device and the data stored there through the two layers of encryption. When the device is started up, the user will have to enter a pin to unlock the hard drive and then log in and unlock the software based-encryption with a separate pin.
Additionally, it provides guidance on the physical control and management of the end-user device, including what to do when it is lost. For more information on this, refer to the actual Capability Package to learn about “lost and found” and “incident reporting” details.
The CSfC Data at Rest Capability Package specifies three different types of data: Red, Gray, and Black. This terminology is used to describe the level of protection required for each data type as follows:
- Red Data: Unencrypted classified data stored or processed on the end-user device. This data can be accessed once the user authenticates through both levels of encryption.
- Gray Data: Classified data that has been through one layer of encryption. This data can be accessed once the user authenticates through the outer layer of encryption.
- Black Data: Classified data that has been through both layers of encryption. This is how data is stored when the device is off or has not been authenticated yet.
The CSfC Data at Rest Capability Package details specific requirements for all of the following components of a solution:
- Software Full Disk Encryption
- File Encryption
- Platform Encryption
- Hardware Full Disk Encryption
- End-User Device
- Removable Media
When building a CSfC solution for data at rest, use the Capability Package to determine the requirements for each component, reference the sample solution designs, and then find a provider on the CSfC Components List from which to source each required component.
If getting started daunts you, NSA also provides a list of Trusted Integrators. These third-party contractors have met a strict set of criteria and can help you navigate the CSfC process, offering their assistance and technical expertise along the way.
If you’d prefer to outsource solution development, a number of vendors also make CSfC kits.
After finding the right CSfC vendor and outlining your use case, you can remain reasonably hands-off during development. Once complete, you can submit the final CSfC solution to NSA for approval.
The most important thing to remember is that no matter your level of technical expertise or time commitment, a CSfC solution is within reach.
Use Cases for the CSfC Data at Rest Capability Package
The Data at Rest Capability Package is applicable across a wide variety of use cases. The most important factor across all of these is the need to protect data on end-user devices that are outside of a strict, physically controlled environment.
This capability package is most commonly required when building a Mobile Access solution because, by definition, devices will have to be outside of a protected environment to connect.
Some common use cases for building a mobile access solution include remote access for traveling executives or field operatives.
It is also frequently required for law enforcement agencies who need the ability to set up mobile security operations centers (SOCs) or command centers at a moment’s notice.