Capability Packages

U.S. Government CustomersPlease visit CSfC's JWICS or SIPRNet websites to download the current risk assessments, or contact the Client Contact Center to request a copy.


NSA welcomes comments on the approved Capability Packages, which can be sent to your NSA Client Advocate or the appropriate capability package maintenance team. Updates to these Capability Packages will be posted to this site.

Archived Capability Packages

Mobile Access Capability Package

Campus WLAN Capability Package

Multi-Site Connectivity Capability Package

Data at Rest Capability Package

Enterprise Gray Implementation Requirements Annex

Key Management Requirements Annex

Symmetric Key Management Requirements Annex

Wireless Intrusion Detection System/Wireless Intrusion Prevention System Requirements Annex

Continuous Monitoring Annex
Tactical Capability Package
 


What is a Capability Package?

NSA/CSS is developing sets of Capability Packages in order to provide our customers with ready access to the information needed to satisfy their operational requirements. Capability Packages contain product-neutral information that will allow customers/integrators to successfully implement their own solutions. Using the information in the Capability Package, customers/integrators make product selections while following the guidelines/restrictions to create an architecture with specific commercial products configured in a particular manner.

CSfC Capability Packages will provide sufficient guidance for accreditors to make informed decisions on whether solutions meet their mission and security requirements. Each Capability Package has a classified Risk Assessment associated with it. Please visit CSfC's JWICS or SIPRNet websites to download the current risk assessments, or contact the Client Contact Center to request a copy.

How can Customers/Integrators Implement a CSfC Capability Package?

For information or assistance in determining whether an approved Capability Package satisfies their requirements, U.S. Government customers (e.g., Department of Defense Components, Intelligence Community Organizations, and Federal Agencies) can engage NSA through the NSA Client Contact Center.

Integrators should coordinate through their U.S. Government customer points of contact.

The following is the version naming scheme for the Commercial Solutions for Classified (CSfC) Capability Packages (CPs) and CP Annexes. It communicates the status, types of updates, types of changes, etc. to stakeholders by using a defined and documented naming convention. 
Capability Package and Annex (CP/Annex) Versioning Scheme
 



Mobile Access Capability Package

The Mobile Access Capability Package (MA CP) Version 2.6.0, dated 13 May 2024, has been approved by the Deputy National Manager (DNM) for National Security Systems (NSS) to meet the demand for mobile, data-in-transit, solutions using the Commercial National Security Algorithm (CNSA) Suite with National Information Assurance Partnership (NIAP) validated products to compose secure mobile solutions. This version provides guidance on fulfilling the mandated usage of Multi-Factor Authentication set by National Security Memorandum 8 (NSM-8) to institute additional safeguards for classified data when accessing NSS. Other significant enhancements include incorporation of the Continuous Monitoring Annex 1.1.0, Key Management Annex 2.1 as well as the Wireless Dedicated Outer VPN addition for the Tactical Use Case. This document supersedes the MA CP Version 2.5.1.


Download the approved Mobile Access Capability Package V2.6.0.

Contact the Mobile Access CP Team.

Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.

Mobile Access Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov
Download: Mobile Access CP Requirements Mapped to CNSSI-1253 Security Controls


Campus WLAN Capability Package

The Campus Wireless Local Area Network Capability Package (Campus WLAN CP) Version 3.0, dated 04 May 2022, has been approved by the Deputy National Manager (DNM) for National Security Systems to meet the demand for commercial End User Devices (EUD) (tablets, smartphones, and laptop computers) to access secure enterprise services over a campus wireless network.  This version provides new updates such as the addition of the WPA3 standard, client virtualization requirements, multifactor authentication requirements, an appendix for WLAN tactical use cases, and improved administrative updates. This document supersedes the Campus WLAN CP Version 2.3

Download the approved Campus WLAN Capability Package V3.0.1.

Contact the Campus WLAN CP Team.

Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.

Campus WLAN Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov
Download: Campus WLAN CP Requirements Mapped to CNSSI-1253 Security Controls
 


Multi-Site Connectivity Capability Package

The Multi-Site Connectivity Capability Package (MSC CP) Version 1.2.0, dated 2 March 2023, has been approved by the Deputy National Manager (DNM) for National Security Systems. This CP describes a general MSC Solution to protect classified information as it travels across an untrusted network. The solution supports interconnecting two or more networks operating at the same security level via two nested, independent encryption tunnels, where the security level encompasses the classification level, list of compartments, dissemination controls, and other such controls over information. The two encryption tunnels protecting a data flow can use either Internet Protocol Security (IPsec) generated by a Virtual Private Network (VPN) Gateway or Media Access Control Security (MACsec) generated by a MACsec Device. VPN Gateways and MACsec Devices are implemented as part of the network infrastructure. The solution provides sufficient flexibility to be applicable to many use cases of MSC implementations. This document supersedes the MSC CP Version 1.1.

Download the approved Multi-Site Connectivity Capability Package V1.2.0.

Contact the Multi-Site Connectivity CP Team.

Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.

Multi-Site Connectivity Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov
Download: Multi-Site Connectivity CP Requirements Mapped to CNSSI-1253 Security Controls
 


Data at Rest Capability Package

The Data-at-Rest Capability Package (DAR CP) Version 5.0, dated November 2020, has been approved by the Deputy National Manager (DNM) for National Security Systems.  This CP provides two new use-cases for Enterprise Management (EM) and Unattended Operations (UO), a new solution design for Hardware FDE/Hardware FDE (HH), and optional DAR Location-Based Services features for additional access restriction, and guidance for implementing CSfC solutions in a High Assurance GOTS environment.  Although the DAR solution designs can protect the confidentiality of data and render the EUD unclassified, it does not protect the integrity of an EUD outside of the control of approved users. Therefore, the NSA requires implementing organizations to define the circumstances in which an EUD that is part of the organization's solution is to be considered outside of the positive control of authorized users (i.e., "lost"). Authorizing Officials (AO) will define the circumstances for considering a device "lost" that aligns with the intended mission and threat environment for which the solution will be deployed. This document supersedes the DAR CP Version 4.0.

Download the approved Data-at-Rest Capability Package V5.0.

Contact the DAR CP Maintenance Team.

Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.

Data at Rest Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov.
Download: Data at Rest CP Requirements Mapped to CNSSI-1253 Security Controls

DAR v5.1.0 Draft 1.0

(U) The Data-at-Rest Capability Package (DAR CP) Version 5.1.0 Draft 1.0 provides a new solution design for DAR Devices utilizing Software (SW) Full Disk Encryption (FDE) the SWFDE/SWFDE Solution Design, guidance for implementing Virtualization with DAR devise, expansion of the option DAR Location-Based Services features for additional access restrictions, guidance for implementing CSfC solutions in a High Assurance GOTS environment, and expanding the use case where multi-factor authentication should be used within the DAR CP
Download the DAR v5.1.0 draft here
Download the Data-at-Rest CP 5.1.0 draft 1 Comment Matrix here


Enterprise Gray Implementation Requirements Annex

 

The Enterprise Gray Implementation Annex Version 1.1, dated 19 May 2022, has been approved by the Deputy National Manager (DNM) for National Security Systems.  This annex provides: techniques to deploy all three Data-in-Transit CPs (Mobile Access, Campus WLAN, and Multi-Site Connectivity) concurrently to reduce costs; guidance on remote management of Gray Management Services from a centralized location; routing protocols for enhanced scalability for large enterprise networks; and site survivability options to maintain access to classified resources. This document supersedes the Enterprise Gray Implementation Annex Version 1.0.

Download the approved Enterprise Gray Implementation Requirements Annex V1.1.1.

Contact the Enterprise Gray Team.

Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.

Enterprise Gray Implementation Requirements Annex Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov
Download: Enterprise Gray Implementation Requirements Mapped to CNSSI-1253 Security Controls
 


Key Management Requirements Annex

The Key Management (KM) Requirements Annex Version 2.1, dated May 2022, has been approved by the Deputy National Manager (DNM) for National Security Systems.  The requirements outlined within have been demonstrated suitable for protecting classified information and National Security Systems, provided the implementation of the solution is configured, maintained and monitored as required by the published Capability Packages (CPs).  The updated version of this annex incorporates relocated KM product selection requirements from all Data-In-Transit CSFC Capability Packages (CPs), relocated and updated KM role-based personnel requirements from all CSfC CPs, additional requirements to improve separation of inner and outer Public Key Infrastructures (PKIs), Password/Passphrase Strength Parameters appendix from DAR CP, relocated and updated Enterprise Gray KM requirements from CSfC Enterprise Gray Implementation Requirements Annex, and additional Certification Authorities deployment options figures. This document supersedes the KM Requirements Annex Version 2.0. 

Download the approved Key Management Requirements Annex V2.1.

Contact the Key Management Requirements Team.

Key Management Requirements Annex Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov.
Download: Key Management Requirements Mapped to CNSSI-1253 Security Controls
 


Symmetric Key Management Requirements Annex

The Symmetric Key Management (KM) Requirements Annex Version 2.1, dated May 2022, has been approved by the Deputy National Manager (DNM) for National Security Systems.  This annex defines additional requirements for implementing Symmetric KM capabilities defined in CSfC Capability Packages (CPs).  It allows for the use of Symmetric Pre-Shared Keys to provide quantum resistant cryptographic protection of classified information in properly configured, maintained and monitored CSfC solutions. The updated version of this annex incorporates updated KGS product selection criteria, updated wording to improve and clarify PSK usage guidance, updated IPSec with RFC 8784-compliant implementations of IKE v2 PSK usage requirements, updated outer PSK classification requirement, and role-based personnel requirements. This document supersedes the SKM Requirements Annex Version 2.0.

Download the approved Symmetric Key Management Requirements Annex V2.1.

Contact the Key Management Requirements Team.

Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.

Symmetric Key Management Requirements Annex Annex Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov.
Download: Symmetric Key Management Annex v2.1 Requirements Mapping to NIST SP 800-53 Security Controls.

 

Wireless Intrusion Detection System/Wireless Intrusion Prevention System Requirements Annex

The Wireless Intrusion Detection System/Wireless Intrusion Prevention System (WIDS/WIPS) Annex Version 2.0.0 dated 5 March 2024, has been approved by the Deputy National Manager (DNM) for National Security Systems to provide guidance to customers on monitoring and protecting CSfC WLAN Access Systems and securing classified spaces through the use of WIDS and WIPS.  This Annex applies to the Campus WLAN CP and the Mobile Access CP in a Government Private Wireless deployment.  The CSfC WIDS/WIPS Annex covers secure deployment, management and configuration of WIDS and WIPS within CSfC solutions, which aim to simplify and enhance current security in monitoring wireless solutions.

Download the Wireless Intrusion Detection System/Wireless Intrusion Protection System Annex V2.0.0.

Contact the WIDS/WIPS team

Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.

Wireless Intrusion Detection System/Wireless Intrusion Prevention System Requirements Annex Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov
Download: Wireless Intrusion Detection System (WIDS)/Wireless Intrusion Prevention System (WIPS) Annex v1.0 Requirements Mapping to NIST SP 800-53 Security Controls.

 


Continuous Monitoring Annex

The Continuous Monitoring (CM) Annex Version 1.1.0, dated 02 March 2023, has been approved by the Deputy National Manager (DNM) for National Security Systems to provide guidance for the collection and analysis of network and security data to enable continuous monitoring within a deployed CSfC solution.  CM is implemented as part of a holistic, risk management and defense-in-depth information security strategy integrated into CSfC architectures.

Download the Continuous Monitoring Annex V1.1.0.

Contact the Continuous Monitoring Team.

Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov.
Download: Continuous Monitoring Requirements Annex v1.1.0 Requirements Mapping to NIST SP 800-53 Security Controls.

Tactical Capability Package
The Tactical Capability Package Version 1.0.0, dated 1 July 2024, has been approved by the Deputy National Manager (DNM) for National Security Systems (NSS) to meet the need for CSfC customers operating on the Tactical edge. The CP has guidance for CSfC customers deploying portable network infrastructure within tactical edge or battle field environment using the Commercial National Security Algorithm (CNSA) Suite with National Information Assurance Partnership (NIAP) validated products to compose secure tactical solutions. For more information on this CP, please contact the CSfC PMO at csfc@nsa.gov. For technical questions contact Tactical_CP_Team@nsa.gov. 

Tactical Capability Package 1.0.0 has been approved. For more information, contact the CSfC PMO at csfc@nsa.gov.



EUD Composition Guidance Addendum 1.0 Draft 1 
The EUD Composition Guidance Addendum Version 1 Draft 1 describes a structural change to EUDs that clarifies the usage of technologies, product selections, and other changes within the MA, CWLAN, and DAR CPs. The following changes will be made to the overall CSfC program. Additional component will be added to the CSfC Components List to allow for this new change. Detail the usage of these new components on the CSfC Components List within MA, CWLAN, and DAR CPs. Using virtualization and other such software separation technologies within CSfC. Expand the usage of hardware separation within EUD. Clarify the deployment, usage, and approvals of Access CDS as EUDs within the CSfC Program. This Addendum is being provided as pre-decisional draft for the community comment and the final product of this document is a CP update to the relevant CPs.
Download: EUD Composition Guidance Addendum 1.0 Draft 1 
Please send comments by 8/18/23 to Wi-Fi@nsa.gov alias.
Download: EUD Composition Addendum Draft 1 Comment Matrix