Information Assurance Menu

.
Skip Search Box

Commercial Solutions for Classified Program

Background

U.S. Government customers increasingly require immediate use of the market's most modern commercial hardware and software technologies within National Security Systems (NSS) in order to achieve mission objectives. Consequently, the National Security Agency/Central Security Service's (NSA/CSS) Information Assurance Directorate (IAD) is developing new ways to leverage emerging technologies to deliver more timely IA solutions for rapidly evolving customer requirements.

NSA/CSS's Commercial Solutions for Classified (CSfC) Program has been established to enable commercial products to be used in layered solutions protecting classified NSS data. This will provide the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not years.

Click to view Commercial Solutions for Classified Brochure (PDF).


What is the Process to get a Commercial Product CSfC-Listed?

Vendors who wish to have their products eligible as CSfC components of a composed, layered IA solution must build their products in accordance with the applicable US Government approved Protection Profile(s) and submit their product using the Common Criteria Process.

The vendor will enter into a Memorandum of Agreement (MoA) with NSA. The MoA specifies that the vendor’s product must be NIAP certified, FIPS certified, and that the vendor agrees to fix vulnerabilities in a timely fashion. The MoA may also reference technology-specific selections for NIAP testing.

Interested vendors must complete and submit the CSfC Questionnaire (PDF) for each product. Please submit completed questionnaires to csfc_components@nsa.gov.

Questions regarding CSfC components may be directed to csfc_components@nsa.gov.


An Update to the Manufacturer Diversity Requirement

The manufacturer diversity requirement for CSfC layered solutions has been modified to permit, subject to certain conditions, single-manufacturer implementations of both layers. The manufacturer must show sufficient independence in the code base and cryptographic implementations of the products used to implement each layer. To demonstrate this, a manufacturer must document the similarities and differences between the two products, to include cryptographic hardware components, software code base (i.e. operating system), software cryptographic libraries, and development teams. It is a fundamental requirement that the code bases of the two products be significantly different. Additionally, the vendor must document measures taken to ensure that supply chain risk is no greater than would be the case for products from two different vendors. NSA will review the information and determine whether the documentation is sufficient to meet the requirements for independent layers. Manufacturer diversity will continue to be accepted to constitute independent layers.

Vendors who wish to submit a statement may do so at csfc_components@nsa.gov.


CSfC Components List

Click here to download the CSfC Components List. Customers select products from this listing to satisfy the reference architectures and configuration information contained in published Capability Packages. Customers must ensure that the components selected will permit the necessary functionality for the selected architecture.

Components used in prototypes that are not NIAP-approved may be listed on the CSFC Components List provisionally until a US Government approved Protection Profile for the technology is available. Once the Protection Profile is available, a company has six months to enter into a MoA with NSA to remain listed as a CSfC component.

Open source components may be listed, provided they have a responsible sponsor, and an NSA-approved plan for, taking a component through Common Criteria evaluation and sustainment of the component. Customers wishing to use open source components should contact csfc_components@nsa.gov with their evaluation and sustainment plans and the responsible parties for each.

Questions regarding the CSfC Components List may be directed to csfc_components@nsa.gov.


Protection Profiles are Published and in Development?

For a current listing of NIAP approved U.S. Government Protection Profiles, go to http://www.niap-ccevs.org/pp/.

For a listing of U.S. Government Protection Profiles currently in development, go to http://www.niap-ccevs.org/pp/draft_pps/.

Additional information about NIAP and the Common Criteria Evaluation and Validation Scheme can be found at http://www.niap-ccevs.org/.


What is a Capability Package?

NSA/CSS is developing sets of Capability Packages in order to provide our customers with ready access to the information needed to satisfy their operational requirements. Capability Packages contain product-neutral information that will allow customers/integrators to successfully implement their own solutions. Using the information in the Capability Package, customers/integrators make product selections while following the guidelines/restrictions to create an architecture with specific commercial products configured in a particular manner.

CSfC Capability Packages will provide sufficient guidance for accreditors to make informed decisions on whether solutions meet their mission and security requirements.


How can Customers/Integrators Implement a CSfC Capability Package?

For information or assistance in determining whether an approved Capability Package satisfies their requirements, U.S. Government customers (e.g., Department of Defense Components, Intelligence Community Organizations, and Federal Agencies) can engage NSA/CSS through their designated IAD Customer Advocates.

Integrators should coordinate through their U.S. Government customer points of contact.


How do Customers Register a CSfC Solution?

Customers will submit a compliance checklist and registration form to NSA (see below sections for forms specific to each Capability Package). To request editable forms, please email csfc_register@nsa.gov. The registration process includes the following steps:

  1. The customer completes the compliance checklist, detailing how their solution complies with the Capability Package, and submits the checklist to the Authorizing Official (AO).
  2. The customer tests the solution.
  3. The AO confirms after testing that the checklist is accurate and signs CSfC registration form.
  4. The AO submits registration form and compliance checklist to NSA.
  5. NSA provides letter acknowledging registration.
  6. The AO provides Authority to Operate (ATO).

NSA recommends that Authorizing Officials use the compliance checklists during their process for granting Interim Approval to Test.


Criteria for CSfC Integrators

Click here to download the updated criteria and application for CSfC Integrators. These criteria and processes are defined to provide a common baseline for CSfC solution integrators, enabling NSA, AOs/Designated Approving Authorities (DAAs) to assess the capabilities of solution integrators and accept their results. Interested integrators may submit their application to CSFC_Integrators@nsa.gov. Questions may be submitted to the same email address.


The Future

Although NSA/CSS's strategy for protecting classified information continues to employ both commercially-based and traditional Government-Off-The-Shelf (GOTS) IA solutions, IAD will look first to commercial technology and commercial solutions in helping customers meet their needs for protecting classified information while continuing to support customers with existing GOTS IA solutions or needs that can only be met via GOTS.

Updates will be posted to this site as the Commercial Solutions for Classified program continues to progress. If you wish to receive an email notification about updates to this website, please email CSfC at csfc@nsa.gov.


Frequently Asked Questions

Click here to download the Non-Technical Frequently Asked Questions

Click here to download the Technical Frequently Asked Questions

CSfC Customer Handbook

Click here to download the Customer Handbook. This will serve as a guide for CSfC customers on how to use the Capability Packages, CSfC Component Listing, Registration, and Lifecycle Support resources.


General Questions

For general queries about the Commercial Solutions for Classified Program, email CSfC at csfc@nsa.gov.


Capability Packages

Campus WLAN Capability Package

The Campus IEEE 802.11 Wireless Local Area Network (WLAN) Version 1.1 Capability Package, dated 04 March 2014, has been approved by the IA Director. This Capability Package enables customers to meet the demand for commercial End User Devices (i.e., tablet and laptop computers) to access secure enterprise services over a campus wireless network. This Capability Package takes lessons learned from two proof-of-concept demonstrations which included the layered use of COTS products for the protection of classified information. This document is intended to be a living reference that will be reviewed twice a year to ensure that the defined architecture and other instructions still provide the required security services and robustness.
Users of this Capability Package are responsible for obtaining, under their organization's established accreditation and approval processes, certification and accreditation of the user's implementation of this Capability Package. Solutions designed according to this Capability Package must be registered with NSA/IAD. Once registered, a signed IAD Approval Letter will be provided validating that the Campus WLAN Capability Package represents a CSfC solution approved for protecting classified information.
Click here to download the approved Campus WLAN Version 1.1 Capability Package: Campus WLAN Capability Package (PDF)

IAD welcomes comments on the approved Campus WLAN Version 1.1 Capability Package, which can be sent to your NSA/IAD Client Advocate or the Campus WLAN Capability Package maintenance team at Wi-Fi@nsa.gov.

Updates to this Capability Package will be posted to this site. Check back frequently in order to keep up with the dynamic changes.

Campus WLAN Solution Registration

All CSfC Campus WLAN solutions operating on National Security Systems (NSS) or protecting NSS information need to be registered with NSA. In order to complete the solution registration form, you will need an assigned ID number. You can request this registration number by sending an email to csfc@nsa.gov.

All customers are required to submit a Campus WLAN compliance checklist with their registration form.  Please provide brief responses. 
Click here to download the Campus WLAN CP Compliance Checklist: Campus WLAN CP Compliance Checklist

Click here to download the Campus WLAN Solution Registration form: Campus WLAN Solution Registration Form

By signing the registration form the AO is either: asserting compliance with the published Campus WLAN CP and acknowledging/accepting the risk of fielding a CSfC solution; or acknowledging inclusion of a Campus WLAN CP Deviation Approval signed by NSA and acknowledging/accepting the risk of fielding a CSfC solution.

Completed registration forms and compliance checklists should be emailed to: csfc_register@nsa.gov.

If the form is classified, please contact the CSfC Program Management Office  for delivery instructions.


Archived Campus WLAN Capability Packages

NSA will not accept solution registrations against the following superseded Campus WLAN Capability Packages. CSfC customers should use the latest IAD-approved version of the Campus WLAN Capability Package.

Archived Capability Package Superseded By

Campus WLAN CP Version 0.8 (04 Oct 2012)
Campus WLAN CP Version 0.9 (14 Dec 2012) Campus WLAN CP Version 1.0 (20 Aug 2013)

Campus WLAN CP Version 1.1 (04 Mar 2014)

Virtual Private Network (VPN) Capability Package

Version 2.0 of the VPN Capability Package, dated 28 May 2013, has been approved by the IA Director. This Capability Package enables customers to implement VPNs between two or more sites and VPNs between fixed sites and End User Devices (EUDs). This Capability Package takes lessons learned from four proof-of-concept demonstrations that had implemented a set of Suite B algorithms, modes of operation, standards, and protocols. These demonstrations included a layered use of COTS products for the protection of classified information. This document is intended to be a living reference that will be reviewed twice a year to ensure that the defined architecture and other instructions still provide the required security services and robustness.

Users of this Capability Package are responsible for obtaining, under their organization's established accreditation and approval processes, certification and accreditation of the user's implementation of this Capability Package. Solutions designed according to this Capability Package must be registered with NSA/IAD. Once registered, a signed IAD Approval Letter will be provided validating that the VPN Capability Package represents a CSfC solution approved for protecting classified information.

Click here to download the approved VPN Capability Package v2.0: Virtual Private Network Capability Package v2.0.

IAD welcomes comments on the approved VPN Capability Package v2.0, which can be sent to your NSA/IAD Client Advocate or the VPN Capability Package maintenance team at VPN@nsa.gov.

Updates to this Capability Package will be posted to this site. Check back frequently in order to keep up with the dynamic changes.

VPN Solution Registration

All CSfC VPN solutions operating on National Security Systems (NSS) or protecting NSS information need to be registered with NSA. In order to complete the solution registration form, you will need an assigned ID number. You can request this registration number by sending an email to csfc@nsa.gov.

If the VPN solution has one infrastructure with multiple VPN end user devices, only one VPN registration form will need to be submitted. If the VPN solution is re-used at multiple locations, a separate VPN registration form for each location must be submitted.

All customers are required to submit a VPN compliance checklist with their registration form. Please provide brief, specific responses.

Click here to download the VPN CP Compliance Checklist: VPN CP Compliance Checklist. To request editable forms, please email csfc_register@nsa.gov.

Click here to download the VPN Solution Registration form: VPN Solution Registration Form. To request editable forms, please email csfc_register@nsa.gov.

By signing the registration form the AO is either: asserting compliance with the published VPN CP and acknowledging/accepting the risk of fielding a CSfC solution; or acknowledging inclusion of a VPN CP Deviation Approval signed by NSA and acknowledging/accepting the risk of fielding a CSfC solution.

Completed registration forms and compliance checklists should be emailed to: csfc_register@nsa.gov. To request editable forms, please email csfc_register@nsa.gov.

If the form is classified, please contact the CSfC PMO for delivery instructions.


Version 2.08 of the VPN Capability Package, dated 19 December 2013, provides VPN architecture guidance for use of a single Gray network with networks of different classification levels and for the distribution of certificate revocation information over the network. This public release of the VPN Version 2.08 Capability Package does not supersede the IAD-approved VPN Version 2.0 Capability Package. Version 2.08 is being provided to initiate discussions with customers and industry. Comments can be sent to the appropriate IAD Client Advocate or the CSfC VPN Capability Package maintenance team at VPN@nsa.gov.

Click here to download the public comment release of the CSfC VPN Version 2.08 Capability Package: Virtual Private Network Version 2.08 Capability Package.

Click to download the VPN Capability Package v2.08 Comment Matrix and Instructions. Please use this matrix for all comments/suggestions.


Archived VPN Capability Packages

NSA will not accept solution registrations against the following superseded VPN Capability Packages. CSfC customers should use the latest IAD-approved version of the VPN Capability Package.

Archived Capability Package Superseded By
Multi-Site VPN CP Version 0.8 (14 Mar 2012)
Multi-Site VPN CP Version 1.0 (17 Aug 2012)
VPN CP Version 1.08 (04 Mar 2013)
VPN CP Version 2.0 (28 May 2013)

Data at Rest Capability Package

The first CSfC data-at-rest document to be released is the initial draft of the CSfC Data-at-Rest (DAR) Capability Package (CP) to meet the demand for data-at-rest solutions using a Secure Sharing Suite (S3) of algorithms [NSA Suite B]. DAR CP Version 0.8 enables customers to implement two independent layers of encryption for the purpose of providing protection for stored information while the End User Device (EUD) is unpowered or in an unauthenticated state. This CP takes lessons learned from one proof-of-concept demonstration per solution design that has implemented a set of S3 algorithms, modes of operation, standards, and protocols. These demonstrations included a layered use of COTS products for the protection of classified information. It is intended to be a living reference that will be updated to keep pace with technology and policies as they change over time, as additional security products and services are developed, and as lessons learned from early adopters of this architecture are applied. As a first step, this version contains guidance on the required procedures and requirements for building and implementing a Data-at-Rest capability.

This document is being provided to initiate discussions with our customers and industry. The Information Assurance Directorate welcomes comments, which can be sent to csfc_dar_team@nsa.gov.

Click here to download the public comment release of this Capability Package: Data-at-Rest Capability Package v0.8.

Click to download the DAR CP v.08 Comment Matrix and Instructions. Please use this matrix for all comments/suggestions.

Updates to this Capability Package will be posted to this site. Check back frequently in order to keep up with the dynamic changes.


Capability Packages

What's in Development

NSA is currently updating and evolving its suite of Capability Packages. Releases forthcoming in the next few quarters include:

  • Virtual Private Network v3.0 (Intersite Transport) (3Q CY-2014) – features a shared outer layer
  • Data at Rest v1.0 (4Q CY-2014) – Data at rest for lost laptop and mobile device use cases
  • Mobile Access v1.0 Cellular and Trusted Hotspot (1Q CY-2015)– updates Mobility Capability Package 2.3 to include DAR and to enable customer registration
  • Trusted Wireless User Access (2Q CY-2015) – evolution of WLAN/Campus WLAN CP; features a shared WPA2 layer

Go to NSA Mobility Program to download the Mobility Security Guide.


Updates

Date Item
26 Jun 2014Added Campus WLAN Ver 1.1 CP; updated landing page text.
23 May 2014Updated integrator criteria section and document; updated brochure; updated compliance checklist text.
02 May 2014Added Campus WLAN and VPN Compliance Checklists; updated landing page text regarding registration, MoAs, and Integrator Criteria.
19 Feb 2014Added CSfC Components List Version 1.0; added VPN Version 2.08 CP, Comment Matrix and Instructions; updated landing text
23 Dec 2013Added Campus WLAN Version 1.0 CP; removed older Campus WLAN CP version; added VPN and Campus WLAN Solution Registration forms; updated landing text
05 Nov 2013Added Integrator Criteria; updated landing text
29 Aug 2013Added VPN Version 2.0 CP; removed older VPN CP versions; added Archived VPN section; updated landing text
13 May 2013Added VPN Version 1.08 CP Comment Matrix and Instructions; updated landing text
23 Apr 2013Added VPN Version 1.08 CP; updated landing page text
18 Apr 2013Added Brochure v2-5, Questionnaire v1.2
15 Feb 2013Added Campus WLAN Ver 0.9 CP; updated landing page text
29 Jan 2013Added VPN Version 1.0 CP and Customer Handbook; updated landing page text
05 Nov 2012Added Campus WLAN Ver 0.8 CP; updated landing page text
15 Jul 2012Added FAQ Responses; updated landing page text
15 May 2012Updated Tri-Fold and landing page text
21 Mar 2012Website established
 

Date Posted: Mar 21, 2012 | Last Modified: Jul 25, 2014 | Last Reviewed: Jul 25, 2014

 
bottom