Attention CSfC Customers: Solution Registrations will be processed only after all required forms, to include network diagrams, are submitted and validated. Please email the CSfC team for questions.

Solution Registration

NSA has developed Commercial Solutions for Classified (CSfC) Capability Packages (CPs) that contain system level designs and requirements for designing and implementing solutions that are capable of protecting National Security Systems (NSS) and the information therein.  Before a solution can be used to protect NSS and the information contained therein, it must be registered with NSA. Through the registration process, NSA acknowledges that the customer’s solution is compliant with the associated CP(s). 
CSfC strongly encourages customers to utilize the services of a CSfC Trusted Integrator (TI).  Trusted Integrators can assist customers to architect, design, integrate, test, document, register, field, and support CSfC-compliant solutions.
 
NSA’s goal is to aid the customer in getting their registering their solution quickly as possible.  For solutions that comply fully with the CP(s), the registration process is quicker and more efficient.  However, wherever a solution deviates from the CP(s), the registration process is slowed because NSA must devote additional resources and time to determine whether the resulting risk is within tolerable limits.  Therefore, it is in the customer’s best interest to avoid deviations, and, where they cannot be avoided, to accurately and completely document them.
 

Capability Package Solution Registration Process

Collapse All Expand All
 1. Section 1. Customer Initiation-The first step in a solution registration is to review the associated CPs to determine which meets their needs. After selecting the appropriate CP(s), the customer discusses solution basis and fundamentals with the CSfC PMO.
  1. Engage Early: After finalizing their design, customers are required to email CSfC  PMO to advise NSA of their intention to register a solution.
  2. Preliminary Meeting: Prior to submitting the complete Solution Registration Package, customers coordinate the Preliminary Meeting with the CSfC PMO (mailto link csfc_register@nsa.gov) with the appropriate solution artifacts describing the proposed registration which includes the following: 
    1. Network Diagrams, and/or Proposed Component Selections
    2. Concept of Operations (CONOPS)
  3. Registration ID Issued: Upon a successful completion of the Preliminary Meeting, the customer will obtain a Solution Registration Identification Number from the CSfC PMO along with a welcome letter that outlines the registration artifacts that are required for submission.
 Section 2- Registration Submission- The customer provides a complete Solution Registration Package to the CSfC PMO. Additionally, the customer selects their approved components and conducts initial integration and testing of the solution in a controlled manner.

a)      Customer will submit the completed Solution Registration Package to the CSfC PMO. All artifacts below must be submitted before the PMO can begin the review process:

                                            i.            Registration Form, with all fields completed [e.g., POCs, Designated Accrediting Authority (DAA)/Authorizing Official (AO), Trusted Integrator, Components’ Manufacturer and Model (to include software versioning), etc.] or, marked “N/A”.

**Note: the AO does not sign the Registration Form at this time.

                                           ii.            Compliance Checklist Workbook (provided by the CSfC PMO) with brief, specific responses explaining how the solution implements the requirements of the CP(s) and Annex(es)

                                         iii.            Deviation Requests (if applicable) that provide sufficient detail on: why the requirement cannot be met, risk mitigations, how to achieve future compliance.

                                         iv.            Network diagram(s) accurately depicting all of the components of the solution design as well as the proper separation of networks and classification levels

                                           v.            Concept of Operations (CONOPS)

                                         vi.            Policy governing the CSfC solution [e.g. Continuity of Operations Plan (COOP) and Certificate Policy (CP)/Certificate Practice Statement (CPS)]

a)      Please ensure confirmation of submission is received (.zip and bulk files submissions may need to be reduced in size)

 Section 3. Registration Review Process

3.1 Registration Advocate Review Process – The CSfC PMO assigns the Solution Registration Package to a cybersecurity professional (Registration Advocate).  The Registration Advocate will review the registration submission and oversee the deviation adjudication and approvals.

 

a)      The Registration Advocate will initiate an introductory email to customer POC(s), establishing a dialogue for the length of the review. 

b)      The Registration Advocate begins analyzing the customer’s Solution Registration Package artifacts and verifies how the solution implements the CP requirements.

c)      If no deviations, proceed to Section 4. Registration Acknowledgement.

 

3.2 CP Deviation Review Process – After review of the Registration Package, the Registration Advocate processes the Solution registration and associated deviations through a Technical Recommendation process.  This consists of two different review boards at the senior and executive technical level, both of which consider options, assess mitigations, and associated risks. The result of this process is a technical Memorandum for the Record (M/R) for consideration by management regarding approval.

 

3.3 CP Deviation Approval Process – The NSA Cybersecurity Directorate leadership considers the technical M/R, as well as the totality of information available to them regarding risk correlated with this solution and associated deviations to make an informed decision to approve the deviations for this registration or reject the registration.

 

a)      The conclusion of this process is a CP Deviation Approval Letter, or a Notification of Rejection of the registration.

 

 Section 4. Registration Acknowledgement- The AO attests to the accuracy of the Solution Registration Package (acknowledging any associated deviation approvals) by signing the Registration Form. Upon receipt of the AO's signature, NSA issues a Registration Acknowledgement Letter. The Registration Acknowledgement Letter establishes the official CSfC Registration date, indicating a valid CSfC registration for one (1) year.
  1. Registration Acknowledgement without Deviations  
 
  1. The AO attests that the solution will be implemented, configured and fielded in accordance with the Solution Registration Package with no deviations by signing the Registration Form.
  2. Upon receipt of the AO-signed Registration Form, NSA issues a Registration Acknowledgement Letter signed by the Director of the CSfC PMO.  This letter also establishes the start date of CSfC Registration that is valid for one (1) year.
  3. The Registration Acknowledgement Letter is the artifact that attests to CSfC Compliancy for the solution owner to use in their system approval process.
**Note: Customers are responsible for obtaining certification and accreditation of its implementation under their organization's established accreditation and approval processes.
 
4.2 Registration Acknowledgement with Deviations
 
  1. The AO is provided a CP Deviation Approval Letter and associated risk statement(s) for this Solution Registration valid for one (1) year. 
  2. The AO attests that the solution will be implemented and configured in accordance with the Solution Registration Package, acknowledging deviation approval(s), by signing the CSfC Registration form.
  3. NSA issues a Registration Acknowledgement Letter, signed by the Director of the CSfC PMO.  The Registration Acknowledgement Letter and Deviation Approval Letter are artifacts for an AO to pursue an ATO.  The Registration Acknowledgement Letter will recognize the registration for one (1) year from the date of approval. 
  4. The Registration Acknowledgement Letter is an artifact attesting to CSfC compliancy for the solution owner to use in their system approval process.
**Note: Customers are responsible for obtaining certification and accreditation of its implementation under their organization's established accreditation and approval processes.
 
 
 Section 5. Registration Renewal- Solution Registrations are valid for one (1) year from the date of the Registration Acknowledgement Letter. Registration renewal must be completed before the expiration date.

a)      Deviations are only approved for one (1) registration period (one year).  Every effort must be made to meet CP requirements; reoccurring deviations will receive additional scrutiny and may not be approved.

b)      Renewing customers must submit the renewal registration package 3 months prior to the expiration date documented in the Registration Acknowledgement Letter.

c)      Non-renewing customers should notify CSfC PMO and decommission their solutions prior to the expiration date documented in the Registration Acknowledgement Letter.

d)      Details on non-renewing or expired CSfC registrations may be provided to NSS enforcement organizations for action.

Please email the CSfC PMO Register Inbox (csfc_register@nsa.gov) before sending any registration artifacts.

Applicable Forms:

NSA provides downloadable resources for assistance with the CSfC process.

Collapse All Expand All
 NOTE: The NIST SP 800-53 SECURITY CONTROLS and Solution Registration form for each associated CP/Annex are now located under the Capabilities Packages page.