As part of the CSfC program, NSA offers several Capability Packages as a starting point for users to implement their own solutions. The products, or components, used to build CSfC solutions must be selected off the CSfC Components List. These components have been certified by NSA’s rigorous National Information Assurance Partnership (NIAP) certification along with Federal Information Processing Standards (FIPS) when applicable.
The NSA CSfC Capability Packages (CPs) are reviewed, updated and re-published for use on a regular basis. CPs provide vendor-agnostic requirements for the implementation and configuration of a secure solution within a certain architectural area. There are currently four CPs:
- Mobile Access Capability Package: Describes how an organization can build a solution that allows remote endpoints to communicate back to the highly-protected primary network over unclassified networks or the open internet without risking security to classified information.
- Multi-Site Connectivity Capability Package: Describes how an organization can build a solution that connects various site networks together and allows them to communicate with each other over unclassified networks or the open internet without risking security to classified information.
- Wireless LAN Capability Package: Describes how an organization can build a solution that allows for campus-wide secure connectivity when protected by a physical barrier or perimeter.
- Data-at-Rest Capability Package: Meant to help those working to implement a solution that will protect classified data stored on end-user devices.
In addition to the CPs themselves, there are also CP Annexes. Annexes provide similar vendor-agnostic information and architecture guidance but focus on areas that apply across more than one CP.
Choosing the right Capability Package
The capability package you choose to use as the starting point for your CSfC solution will depend upon what you are trying to achieve. You will also find that your ultimate solution, or set of solutions, may need to span multiple capability packages.
Most of the time, you’ll find that you start with an initial solution and then layer more components on top of that to incorporate the remaining capability packages.
For instance, a common maturity growth path begins with the implementation of a solution for remote access to your main, centralized network (Mobile Access CP), at which point you’ll need to determine how the data on your end-user devices are protected in the field (Data-at-Rest CP).
Once you’ve implemented that solution successfully, you may be ready to take the next step and expand to multiple sites or campuses that need to connect their primary networks together (Multi-Site Connectivity CP).
And, finally, you may decide it is time to offer wireless connectivity across a physically protected campus (Wireless LAN CP).
Below, you’ll find a breakdown of which capability package would be a fit for the type of goals you are looking to achieve.
The solution you deploy should incorporate the architecture that best meets your overall goals, and details regarding the various architectures are spelled out in the various capability packages.
An example of this would be the differences between the architecture needed to achieve a Mobile Access solution vs. a Multi-Site solution. We will demonstrate this with some diagrams of our solutions that can be used for each.
Mobile Access Solution
GoSilent Server, our CSfC approved solution for mobile access, works in conjunction with our GoSilent Cube to create secure connections between external devices and your protected internal network.
GoSilent secures a connection to the enterprise server and creates an “IPSec tunnel” inside the enterprise firewall. In this manner, users can securely access corporate resources without being exposed to attack over an open WiFi or Internet connection.
Once GoSilent secures a connection to the enterprise server and creates a secure “IPSec tunnel” inside the enterprise firewall, IP-enabled devices can securely retrieve, send and store data behind the corporate firewall.
You’ll see that in this architecture, most of the requirements for CSfC components live on the end-user device.
Multi-Site Connectivity Solution
When combined with a GoSilent Server (GSS) virtual appliance deployed at each location, or site, GoSilent Site-to-Site, our CSfC approved solution for multi-site connectivity, connects multiple disparate Local Area Networks (LAN) together.
On each GoSilent Server, the first network interface is connected to the Local Area Network (LAN) onsite, and the second network interface is connected to the Wide Area Network (WAN), or typically the internet.
The GoSilent Servers at each location establish a secure IPSec IKEv2 VPN tunnel between each other and then the devices and applications on the two disparate Local Area Networks are able to communicate together. Administrators can also restrict the device and application communications with firewall functionality.
In this instance, most of the required CSfC components live on the server-side and there are larger requirements for performance and throughput due to the volume of data being transmitted.