Capability Packages

U.S. Government CustomersPlease visit CSfC's JWICS or SIPRNet websites to download the current risk assessments, or contact the Client Contact Center to request a copy.


NSA welcomes comments on the approved Capability Packages, which can be sent to your NSA Client Advocate or the appropriate capability package maintenance team. Updates to these Capability Packages will be posted to this site.

Archived Capability Packages

Mobile Access Capability Package

Campus WLAN Capability Package

Multi-Site Connectivity Capability Package

Data at Rest Capability Package

Enterprise Gray Implementation Requirements Annex

Key Management Requirements Annexes

Wireless Intrusion Detection System/Wireless Intrusion Prevention System Requirements Annex

Continuous Monitoring Annex


What is a Capability Package?

NSA/CSS is developing sets of Capability Packages in order to provide our customers with ready access to the information needed to satisfy their operational requirements. Capability Packages contain product-neutral information that will allow customers/integrators to successfully implement their own solutions. Using the information in the Capability Package, customers/integrators make product selections while following the guidelines/restrictions to create an architecture with specific commercial products configured in a particular manner.

CSfC Capability Packages will provide sufficient guidance for accreditors to make informed decisions on whether solutions meet their mission and security requirements. Each Capability Package has a classified Risk Assessment associated with it. Please visit CSfC's JWICS or SIPRNet websites to download the current risk assessments, or contact the Client Contact Center to request a copy.

How can Customers/Integrators Implement a CSfC Capability Package?

For information or assistance in determining whether an approved Capability Package satisfies their requirements, U.S. Government customers (e.g., Department of Defense Components, Intelligence Community Organizations, and Federal Agencies) can engage NSA through the NSA Client Contact Center.

Integrators should coordinate through their U.S. Government customer points of contact.


Mobile Access Capability Package

The CSfC MA CP v2.6 Draft, dated September 2021, has been drafted and is intended to solicit review and comments from stakeholders.  The CP is being updated with the following enhancements: designation of Two Factor Authentication Requirements as Threshold (T=O), addition of Wireless Dedicated Outer VPN for Tactical use case, renaming of section 8 from 'Continuous Monitoring' to 'Supporting Documents', and administrative updates throughout the CP.
 
Please send comments the Mobile Access CP Maintenance Team by 18 Nov 2021.
 
NOTE: Solutions cannot be registered against this draft design.  All solution registrations must be against the approved MA CP v2.5 CP.
 
Download the approved Mobile Access Capability Package v2.6 Draft.
 
Download the Comment Matrix and Comment Matrix Instructions.

Contact the Mobile Access CP Maintenance Team.


Campus WLAN Capability Package

The Campus Wireless Local Area Network (WLAN) Version 2.3 Capability Package, dated 4 August 2021, has been approved by the Deputy National Manager for National Security Systems. This Capability Package enables customers to meet the demand for commercial End User Devices (i.e., tablets, smartphones and laptop computers) to access secure enterprise services over a campus wireless network. This update primarily incorporates the Continuous Monitoring Annex v1.0 and the Wireless Intrusion Detection System/Wireless Intrusion Prevention System (WIDS/WIPS) Annex Version 1.0.  This document supersedes the Campus WLAN Version 2.2 Capability Package.

Download the approved Campus WLAN Capability Package v2.3

Contact the Campus WLAN CP Maintenance Team

 

Multi-Site Connectivity Capability Package

Version 1.1 of the Multi-Site Connectivity (MSC) Capability Package, dated 26 June 2018, has been approved by the Deputy National Manager for National Security Systems. This CP describes a general MSC Solution to protect classified information as it travels across either an untrusted network or a network of a different security level. The solution supports interconnecting two or more networks operating at the same security level via encryption tunnels, where the security level encompasses the classification level, list of compartments, dissemination controls, and other such controls over information. The solution provides sufficient flexibility to be applicable to many use cases of MSC implementations. This document supersedes the Multi-Site Connectivity Capability Package Version 1.0.

The MSC Solution uses two nested, independent encryption tunnels to protect the confidentiality and integrity of data as it transits the untrusted network. The two encryption tunnels protecting a data flow can use either Internet Protocol Security (IPsec) generated by a Virtual Private Network (VPN) Gateway or Media Access Control Security (MACsec) generated by a MACsec Device. VPN Gateways and MACsec Devices are implemented as part of the network infrastructure.

Download the approved Multi-Site Connectivity Capability Package v1.1.

Contact the Multi-Site Connectivity CP Maintenance Team


Data at Rest Capability Package

Version 5.0 of the Data-at-Rest Capability Package, dated November 2020, provides two new use-cases for Enterprise Management (EM) and Unattended Operations (UO), a new solution design for Hardware FDE/Hardware FDE (HH), and optional DAR Location-Based Services features for additional access restriction, and guidance for implementing CSfC solutions in a High Assurance GOTS environment.  Although the DAR solution designs can protect the confidentiality of data and render the EUD unclassified, it does not protect the integrity of an EUD outside of the control of approved users. Therefore, the NSA requires implementing organizations to define the circumstances in which an EUD that is part of the organization's solution is to be considered outside of the positive control of authorized users (i.e., "lost"). Authorizing Officials (AO) will define the circumstances for considering a device "lost" that aligns with the intended mission and threat environment for which the solution will be deployed.  This CP is intended to be a living reference that will be updated to keep pace with technology and policies as they change over time, as additional security products and services are developed, and as lessons learned from early adopters of this architecture are applied.

Download the approved Data-at-Rest Capability Package v5.0

Contact the DAR CP Maintenance Team


Enterprise Gray Implementation Requirements Annex

The Enterprise Gray Implementation Requirements Annex Version 1.0 provides guidance that helps customers grow and expand their networks across geographically larger distances while leveraging their existing infrastructure and services to manage that growth. This annex references the three Data-in-Transit CPs (Campus Wireless Area Network, Mobile Access and Multi-Site Connectivity) using approved cryptographic algorithms and National Information Assurance Partnership evaluated components. The CSfC Enterprise Gray Implementation Requirements Annex provides cost effective techniques to deploy all three Data-in-Transit CPs at the same time using centralized certificate and Virtual Private Network (VPN) management. Selecting equipment with the ability to collapse into components for multi-use, allows customers to deploy multiple CPs simultaneously.

Download the Enterprise Gray Implementation Requirements Annex Version 1.0

Feedback should be sent to the Enterprise Gray team.


Key Management Requirements Annexes

This updated version of the CSfC Key Management (KM) Requirements Annex has been developed and approved by the National Manager and builds upon the proven commercial strategy of the earlier version. The requirements outlined within have been demonstrated suitable for protecting classified information and National Security Systems, provided the implementation of the solution is configured, maintained and monitored as required by the published Capability Packages (CPs). 

Version 2.0 of this annex incorporates stakeholder feedback to include clarifying concepts and alignment with existing CNSS Public Key policies. Additional improvements include:

  • Relocating MACsec pre-shared CAK Management requirements to the new CSfC Symmetric Key Management Requirements Annex v2.0; and
  • Removing the use of whitelist and as alternative to Certificate Revocation Lists or Online Certificate Status Protocol responders

Download the approved Key Management Requirements Annex v2.0

Feedback should be sent to the CSfC Key Management Requirements team.
 

Symmetric Key Management Requirements Annex

This newly released version of the CSfC Symmetric Key Management (KM) Requirements Annex v2.0 has been approved by the National Manager and defines additional requirements for implementing Symmetric KM capabilities defined in CSfC Capability Packages (CPs). It allows for the use of Symmetric Pre-Shared Keys to provide quantum resistant cryptographic protection of classified information in properly configured, maintained and monitored CSfC solutions.

Download the approved Symmetric Key Management Requirements Annex v2.0

Feedback should be sent to CSfC Key Management Requirements team.


Wireless Intrusion Detection System/Wireless Intrusion Prevention System Requirements Annex

The Wireless Intrusion Detection System/Wireless Intrusion Prevention System (WIDS/WIPS) Annex Version 1.0 provides guidance to customers on monitoring and protecting CSfC WLAN Access Systems and securing classified spaces through the use of WIDS and WIPS.  This Annex applies to the Campus WLAN CP and the Mobile Access CP in a Government Private Wireless deployment.  The CSfC WIDS/WIPS Annex covers secure deployment, management and configuration of WIDS and WIPS within CSfC solutions, which aim to simplify and enhance current security in monitoring wireless solutions.

Download the WIDS/WIPS Annex Version 1.0

Please send comments to the CSfC WIDS team


Continuous Monitoring Annex

Continuous Monitoring (CM) Annex version 1.0, dated 04 August 2021, has been approved by the Deputy National Manager (DNM) for National Security Systems to provide guidance for the collection and analysis of network and security data to enable continuous monitoring within a deployed CSfC solution.  CM is implemented as part of a holistic, risk management and defense-in-depth information security strategy integrated into CSfC architectures.

Download the Continuous Monitoring Annex Version 1.0

Please send comments to the Continuous Monitoring team.