Information Assurance Menu

.
Skip Search Box

Commercial Solutions for Classified Program

Background

U.S. Government customers increasingly require immediate use of the market's most modern commercial hardware and software technologies within National Security Systems (NSS) in order to achieve mission objectives. Consequently, the National Security Agency/Central Security Service's (NSA/CSS) Information Assurance Directorate (IAD) is developing new ways to leverage emerging technologies to deliver more timely IA solutions for rapidly evolving customer requirements.

NSA/CSS's Commercial Solutions for Classified (CSfC) Program has been established to enable commercial products to be used in layered solutions protecting classified NSS data. This will provide the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not years.

Click to view Commercial Solutions for Classified Brochure (PDF)


What is the Process to get a Commercial Product CSfC-Listed?

Vendors who wish to have their products eligible as CSfC components of a composed, layered IA solution must build their products in accordance with the applicable U.S. Government Protection Profile(s) and submit their products using the Common Criteria Process.

NSA/CSS enters into an agreement with the vendor which may stipulate other requirements for the particular technology. Once the product has met these requirements, NSA/CSS will add it to the list of commercial products available for use in the CSfC program.

Interested vendors must complete and submit the CSfC Questionnaire (PDF) for each product.


What Protection Profiles are Published and in Development?

For a current listing of NIAP approved U.S. Government Protection Profiles, go to http://www.niap-ccevs.org/pp/.

For a listing of U.S. Government Protection Profiles currently in development, go to http://www.niap-ccevs.org/pp/draft_pps/.

Additional information about NIAP and the Common Criteria Evaluation and Validation Scheme can be found at http://www.niap-ccevs.org/.


What is a Capability Package?

NSA/CSS is developing sets of Capability Packages in order to provide our customers with ready access to the information needed to satisfy their operational requirements. Capability Packages contain product-neutral information that will allow customers/integrators to successfully implement their own solutions. Using the information in the Capability Package, customers/integrators make product selections while following the guidelines/restrictions to create an architecture with specific commercial products configured in a particular manner.

CSfC Capability Packages will provide sufficient guidance for accreditors to make informed decisions on whether solutions meet their mission and security requirements.


How can Customers/Integrators Implement a CSfC Capability Package?

For information or assistance in determining whether an approved Capability Package satisfies their requirements, U.S. Government customers (e.g., Department of Defense Components, Intelligence Community Organizations, and Federal Agencies) can engage NSA/CSS through their designated IAD Customer Advocates.

Integrators should coordinate through their U.S. Government customer points of contact.


The Future

Although NSA/CSS's strategy for protecting classified information continues to employ both commercially-based and traditional Government-Off-The-Shelf (GOTS) IA solutions, IAD will look first to commercial technology and commercial solutions in helping customers meet their needs for protecting classified information while continuing to support customers with existing GOTS IA solutions or needs that can only be met via GOTS.

Updates will be posted to this site as the Commercial Solutions for Classified program continues to progress. If you wish to receive an email notification about updates to this website, please email CSfC at csfc@nsa.gov.

Frequently Asked Questions

Click here to download the Non-Technical Frequently Asked Questions

Click here to download the Technical Frequently Asked Questions


CSfC Customer Handbook

Click here to download the Customer Handbook. This will serve as a guide for CSfC customers on how to use the Capability Packages, CSfC Component Listing, Registration, and Lifecycle Support resources.


General Questions

For general queries about the Commercial Solutions for Classified Program, email CSfC at csfc@nsa.gov.


CSfC Components List

Click here to download the CSfC Components List. Customers select products from this listing to satisfy the reference architectures and configuration information contained in published Capability Packages. Customers must ensure that the components selected will permit the necessary functionality for the selected architecture.


Criteria for CSfC Integrators

Click here to download the Criteria for CSfC Integrators. These criteria and processes are defined to provide a common baseline for CSfC solution integrators, enabling NSA, Authorizing Officials (AOs), and Designated Approving Authorities (DAAs) to assess the capabilities of solution integrators and accept their results.


Capability Packages

Campus WLAN Capability Package

The Campus IEEE 802.11 Wireless Local Area Network (WLAN) Version 1.0 Capability Package, dated 20 August 2013, has been approved by the IA Director. This Capability Package enables customers to meet the demand for commercial End User Devices (i.e., tablet and laptop computers) to access secure enterprise services over a campus wireless network. This Capability Package takes lessons learned from two proof-of-concept demonstrations which included the layered use of COTS products for the protection of classified information. This document is intended to be a living reference that will be reviewed twice a year to ensure that the defined architecture and other instructions still provide the required security services and robustness.

Users of this Capability Package are responsible for obtaining, under their organization's established accreditation and approval processes, certification and accreditation of the user's implementation of this Capability Package. Solutions designed according to this Capability Package must be registered with NSA/IAD. Once registered, a signed IAD Approval Letter will be provided validating that the Campus WLAN Capability Package represents a CSfC solution approved for protecting classified information.

Click here to download the approved Campus WLAN Version 1.0 Capability Package: Campus WLAN Capability Package (PDF)

IAD welcomes comments on the approved Campus WLAN Version 1.0 Capability Package, which can be sent to your NSA/IAD Client Advocate or the Campus WLAN Capability Package maintenance team at Wi-Fi@nsa.gov.

Updates to this Capability Package will be posted to this site. Check back frequently in order to keep up with the dynamic changes.

Campus WLAN Solution Registration

All CSfC Campus WLAN solutions operating on National Security Systems (NSS) or protecting NSS information need to be registered with NSA. In order to complete the solution registration form, you will need an assigned ID number. You can request this registration number by sending an email to csfc@nsa.gov.

Click here to download the Campus WLAN Solution Registration form: Campus WLAN Solution Registration Form

By signing/submitting the Campus WLAN registration form to NSA, the AO/DAO is stating that the Campus WLAN solution complies with, and will continue to comply with the Campus WLAN Capability Package or its successors, and that the AO/DAO agrees to accept or mitigate the residual risks identified in the NSA risk assessment for the Campus WLAN Capability Package.

Completed registration forms should be emailed to: csfc_reg@nsa.gov
If the form is classified, please contact the CSfC PMO for delivery instructions.

Archived Campus WLAN Capability Packages

NSA will not accept solution registrations against the following superseded Campus WLAN Capability Packages. CSfC customers should use the latest IAD-approved version of the Campus WLAN Capability Package.

Archived Capability Package Superseded Superseded By
Campus WLAN CP Version 0.8 (04 Oct 2012)
Campus WLAN CP Version 0.9 (14 Dec 2012)
Campus WLAN CP Version 1.0 (20 Aug 2013)

Virtual Private Network (VPN) Capability Package

Version 2.0 of the VPN Capability Package, dated 28 May 2013, has been approved by the IA Director. This Capability Package enables customers to implement VPNs between two or more sites and VPNs between fixed sites and End User Devices (EUDs). This Capability Package takes lessons learned from four proof-of-concept demonstrations that had implemented a set of Suite B algorithms, modes of operation, standards, and protocols. These demonstrations included a layered use of COTS products for the protection of classified information. This document is intended to be a living reference that will be reviewed twice a year to ensure that the defined architecture and other instructions still provide the required security services and robustness.

Users of this Capability Package are responsible for obtaining, under their organization's established accreditation and approval processes, certification and accreditation of the user's implementation of this Capability Package. Solutions designed according to this Capability Package must be registered with NSA/IAD. Once registered, a signed IAD Approval Letter will be provided validating that the VPN Capability Package represents a CSfC solution approved for protecting classified information.

Click here to download the approved VPN Capability Package v2.0: Virtual Private Network Capability Package v2.0.

IAD welcomes comments on the approved VPN Capability Package v2.0, which can be sent to your NSA/IAD Client Advocate or the VPN Capability Package maintenance team at VPN@nsa.gov.

Updates to this Capability Package will be posted to this site. Check back frequently in order to keep up with the dynamic changes.

VPN Solution Registration

All CSfC VPN solutions operating on National Security Systems (NSS) or protecting NSS information need to be registered with NSA. In order to complete the solution registration form, you will need an assigned ID number. You can request this registration number by sending an email to csfc@nsa.gov.

If the VPN solution has one infrastructure with multiple VPN end user devices, only one VPN registration form will need to be submitted. If the VPN solution is re-used at multiple locations, a separate VPN registration form for each location must be submitted.

Click here to download the VPN Solution Registration form: VPN Solution Registration Form

By signing/submitting the VPN registration form to NSA, the AO/DAO is stating that the VPN solution complies with, and will continue to comply with the VPN Capability Package or its successors, and that the AO/DAO agrees to accept or mitigate the residual risks identified in the NSA risk assessment for the VPN Capability Package.

Completed registration forms should be emailed to: csfc_reg@nsa.gov
If the form is classified, please contact the CSfC PMO for delivery instructions.


Version 2.08 of the VPN Capability Package, dated 19 December 2013, provides VPN architecture guidance for use of a single Gray network with networks of different classification levels and for the distribution of certificate revocation information over the network. This public release of the VPN Version 2.08 Capability Package does not supersede the IAD-approved VPN Version 2.0 Capability Package. Version 2.08 is being provided to initiate discussions with customers and industry. Comments can be sent to the appropriate IAD Client Advocate or the CSfC VPN Capability Package maintenance team at VPN@nsa.gov.

Click here to download the public comment release of the CSfC VPN Version 2.08 Capability Package: Virtual Private Network Version 2.08 Capability Package

Click to download the VPN Capability Package v2.08 Comment Matrix and Instructions. Please use this matrix for all comments/suggestions.


Archived VPN Capability Packages

NSA will not accept solution registrations against the following superseded VPN Capability Packages. CSfC customers should use the latest IAD-approved version of the VPN Capability Package.

Archived Capability Package Superseded By
Multi-Site VPN CP Version 0.8 (14 Mar 2012)
Multi-Site VPN CP Version 1.0 (17 Aug 2012)
VPN CP Version 1.08 (04 Mar 2013)
VPN CP Version 2.0 (28 May 2013)

Mobility Capability Package

Go to NSA Mobility Program to download the Mobility Capability Package.


Updates


Date Item
19 Feb 2014 Added CSfC Components List Version 1.0; added VPN Version 2.08 CP, Comment Matrix and Instructions; updated landing text
23 Dec 2013 Added Campus WLAN Version 1.0 CP; removed older Campus WLAN CP version; added VPN and Campus WLAN Solution Registration forms; updated landing text
5 November 2013 Added Integrator Criteria; updated landing text
29 August 2013 Added VPN Version 2.0 CP; removed older VPN CP versions; added Archived VPN section; updated landing text
13 May 2013 Added VPN Version 1.08 CP Comment Matrix and Instructions; updated landing text
23 April 2013 Added VPN Version 1.08 CP; updated landing page text
18 April 2013 Added Brochure v2-5, Questionnaire v1.2
15 Feb 2013 Added Campus WLAN Ver 0.9 CP; updated landing page text
29 Jan 2013 Added VPN Version 1.0 CP and Customer Handbook; updated landing page text
05 Nov 2012 Added Campus WLAN Ver 0.8 CP; updated landing page text
15 July 2012 Added FAQ Responses; updated landing page text
15 May 2012 Updated Tri-Fold and landing page text
21 March 2012 Website established
 

Date Posted: Mar 21, 2012 | Last Modified: Feb 20, 2014 | Last Reviewed: Feb 20, 2014

 
bottom