If you’re thinking about building a , there are a few things to consider before getting started. One of the most important things and contractors can do is be aware of the process to get your final Certified, and have a good understanding of the things you can do to make that process easier (and faster!).
Because Archon's GoSilent products are approved for use in deployments and are used in national systems, we are often asked by organizations that are considering going down the route how long it takes to get a approved through the office. And of course, like all good things in life, the answer is: it depends.
Quite honestly, the most important factor that will determine the timeline for your approval is you.
We’ve been lucky to work very closely with Trusted Integrators like Scott Morrison at 4n2n Solutions, LLC, and between his wealth of experience and ours, we can give some guidance on what to expect and what you can do to speed up this process.
In this article, you will find the answers to the following questions:
- How long does it take to build a CSfC solution?
- What factors influence the CSfC approval timeline?
- What is the process for getting a CSfC solution approved?
- How can I speed up the process of building a CSfC approved solution?
- How does the CSfC timeline compare to the timeline for NSA type 1 encryption equipment?
🔎 Related Articles: Visit the CSfC Resource Center.
How long does it take to build a
In general, you can expect that building and gaining approval for a will take, at minimum, six months. It is rare to see an designed, purchased, built and approved in this timeline, but it is possible, especially if you have a well-thought-out plan and have a prepared (and set aside) budget.
More commonly, however, we see deployments take somewhere closer to 9 to 18 months to get all the way through to completion from the time of initial idea and planning, to approval by the office, with purchasing and installation of products the stages of the process that generally take the longest.
What factors influence the
There are pretty standard timeframes for the parts of the process where the office is involved, but where we see the biggest variations in how long the launch of a ultimately takes from ideation to completion are the parts of the process that are controlled from within your organization.
The biggest determinants are:
- How long internal approvals and communication within your organization takes;
- Timeline for the approval of the budget and ultimate release of funds for purchases;
- The number of reworks or revisions to your architecture design; and
- The number and size of deviations your architecture has from the you are starting from.
There are plenty of things you can do to make the process quicker and easier for your organization, but starting out by evaluating how fast your organization will be able to move with the items listed above will help you set realistic expectations and prepare appropriately.
What is the process for getting a
You will start with designing the architecture to fit your unique needs. Based on our experience, we strongly recommend that you involve the Project Management Office (PMO) early in the design process.
Before finalizing your design, you can (and should) do all of the following:
- Advise NSA of your plan to register a before finalizing the design.
- Obtain a Registration Identification number.
- Coordinate with the PMO to provide your documentation ahead of obtaining a signed version with the Authorizing Official (AO) so that engineers can review, advise and make recommendations.
- Configure and test your system using guidance from engineers.
Once you have a finalized design, built a prototype and completed rigorous , it’s time to submit your paperwork for registration and approval by the NSA.
The Registration process is as follows:
- Complete your (CP) documentation (keep in mind there are separate versions of the following forms for the different CPs):
- Registration Form
- Compliance Checklist
- Deviation Forms (if applicable)
- diagrams outlining your and architecture
- Obtain a signature from your Authorizing Official (AO):
- Send your completed paperwork to your AO to sign. By signing, an AO is “asserting compliance with the published CP and acknowledging and accepting the risk of fielding a ” (source).
- Submit your completed and signed documentation:
- Completed Registration packages should be emailed directly to the PMO.
- Obtain a letter of acknowledgment:
- Once NSA verifies compliance, it will provide a letter of acknowledgment that registration was completed and the time period for which it will last.
- You will be required to re-register your package at the close of that time period.
How can I speed up the process of building a CSfC approved solution?
There are a few very important tips we can offer to help you speed up the process and avoid some of the common pitfalls that might otherwise drag out the process.
Involve a Trusted Integrator
Trusted Integrators have both strong relationships with the clients they serve, and a deep understanding of each individual and the components on the Approved Component List. While you're not required to use a to build your , the management office (PMO) highly recommends it and it will improve your chances of getting registered quickly.
If you decide to work with a , you should look for an organization with extensive experience that knows the Capability Packages inside and out. Ideally, they should have a pre-existing relationship with NSA (and be aware of how they work to protect ) and have experience working with the on the to build a .
You should ask your potential partner how many deployments they have done and which CPs they have used to get a good sense of their prior experience.
A good partner’s experience and expertise will save you considerable time and shorten the learning curve throughout the approval process.
Engage with CSfC early
Make sure you take full advantage of the PMO office throughout the process.
As soon as you know which CP you will be using as a starting point, and you have an idea of what you want to achieve, it's a good idea to reach out to the office and do all of the following:
- Notify them that you plan to submit a package for approval. Often they can add your name to the list to help speed up the process once you’ve submitted.
- Discuss with them any deviations you are planning from the you are using. They will be able to point you in the right direction or tell you what you can and can’t do.
- Ideally, get written answers from the PMO to any questions you ask that you can include for reference in your final documentation for submission.
Submit an official intent
As soon as you have your architecture designed and have built out a Bill of Materials (BOM) with the approved products you plan to use, submit that design to the office.
You’ll want to prepare a test or pilot environment, which is fine to start before (or while) you are working on submitting your official intent.
What you want to make sure of, however, is that you submit your intent (and hear back from NSA) before you purchase the full amount of products for production, just in case they suggest you change something that will ultimately change your BOM.
They will review your design, typically within a matter of weeks, and let you know if something needs to be changed or if it looks good as-is. At this point, you can launch into larger-scale production purchases.
Reduce the chance of submission rejection
Once you have fully tested your , it will be time to submit it for final certification. NSA’s website estimates that it will take around 30 days to complete reviews of submissions and complete their .
Ultimately, the thing that will add the most time to the process of building a is redesigns or reworks. All of the tips provided in the sections above will help reduce the chances of this happening.
In order to help NSA review your submission faster and reduce the chance they will reject it, keep the following in mind:
- Sticking as closely as possible to a CP or existing approved will reduce the chance that a redesign will be required.
- Specifically call out and explain any deviations from the CP to make it easier for them to review.
- The more deviations you have from the CP, the longer you can expect a review to take.
- If a has already submitted a similar architecture for approval, it can make it very easy for NSA to compare to something that has already been approved.
- Having good relationships with both the office and your Authorizing Official (AO), and asking them questions frequently throughout the process, will help make sure, once you get to your final submission, that everything will be in order.
🔎 Related Articles: CSfC Certification.
How does the CSfC timeline compare to the timeline for NSA type 1 encryption equipment?
In terms of the timeline for the initial launch, there isn’t a clear “one is faster than the other” when comparing to type 1.
What we can tell you is that you have more direct control over the timeline for solutions than you do with type 1, and as a result, if your organization can move quickly, then you will definitely be able to stand up a more quickly.
With NSA Type 1 products, you are at the mercy of whenever the equipment is available. You’ll put the order in, and can end up waiting for up to two years for that equipment to be delivered. As a result, in the case of Type 1 equipment, there isn’t anything you can personally do to control the timeline.
Once your initial has been approved and launched, adding additional endpoints is as simple as purchasing off-the-shelf commercial equipment and provisioning it to work within the system.
By comparison, adding additional units of Type 1 equipment follows the same waiting period as the initial (up to two years).
Final thoughts
One of the most attractive parts of a is how much control is placed in your hands. The timeline for you to plan and build a is 100% dependent upon you, which means that if you’re ready, you can make it happen fast!
Are you ready?
