NSA welcomes comments on the approved Capability Packages, which can be sent to your NSA Client Advocate or the appropriate capability package maintenance team. Updates to these Capability Packages will be posted to this site.
Archived Capability Packages
Mobile Access Capability Package
Campus WLAN Capability Package
Multi-Site Connectivity Capability Package
Data at Rest Capability Package
Enterprise Gray Implementation Requirements Annex
Key Management Requirements Annex
Symmetric Key Management Requirements Annex
Continuous Monitoring Annex
Tactical Capability Package
What is a Capability Package?
NSA/CSS is developing sets of Capability Packages in order to provide our customers with ready access to the information needed to satisfy their operational requirements. Capability Packages contain product-neutral information that will allow customers/integrators to successfully implement their own solutions. Using the information in the Capability Package, customers/integrators make product selections while following the guidelines/restrictions to create an architecture with specific commercial products configured in a particular manner.
CSfC Capability Packages will provide sufficient guidance for accreditors to make informed decisions on whether solutions meet their mission and security requirements. Each Capability Package has a classified Risk Assessment associated with it. Please visit CSfC's JWICS or SIPRNet websites to download the current risk assessments, or contact the Client Contact Center to request a copy.
How can Customers/Integrators Implement a CSfC Capability Package?
For information or assistance in determining whether an approved Capability Package satisfies their requirements, U.S. Government customers (e.g., Department of War Components, Intelligence Community Organizations, and Federal Agencies) can engage NSA through the NSA Client Contact Center.
Integrators should coordinate through their U.S. Government customer points of contact.
The following is the version naming scheme for the Commercial Solutions for Classified (CSfC) Capability Packages (CPs) and CP Annexes. It communicates the status, types of updates, types of changes, etc. to stakeholders by using a defined and documented naming convention.
Capability Package and Annex (CP/Annex) Versioning Scheme
Mobile Access Capability Package
The Mobile Access Capability Package (MA CP) Version 2.8.0, dated 27 March 2026, has been approved by the Deputy National Manager (DNM) for National Security Systems (NSS) to meet the demand for mobile, data-in-transit, solutions using the Commercial National Security Algorithm (CNSA) Suite with National Information Assurance Partnership (NIAP) validated products to compose secure mobile solutions. This version introduces new CNSA 2.0 objective requirements to meet the evolving need of Post-Quantum Resistant algorithms to protect NSS and align with CNSS Policy No, 15, Use of Public Standards for Secure Information Sharing. This document supersedes the MA CP Version 2.7.1.
Download the approved Mobile Access Capability Package V2.8.0.
Contact the Mobile Access CP Team.
Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.
Mobile Access Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov.
Download: Mobile Access CP v2.8.0 Requirements Mapped to CNSSI-1253 Security Controls
Campus WLAN Capability Package
The Campus WLAN Capability Package (WLAN CP) Version 3.2.0, dated 27 March 2026, has been approved by the Deputy National Manager (DNM) for National Security Systems (NSS) to meet the demand for classified Wi-Fi solutions within controlled spaces using the Commercial National Security Algorithm (CNSA) Suite with National Information Assurance Partnership (NIAP) validated products to compose secure mobile solutions. This version incorporates the addition of objective CNSA 2.0 algorithms, added objective software signing requirements, and clarified preference for separate WLAN Access Systems for Multi-Classification use case. This document supersedes the CWLAN Version 3.1.0.
Download the approved Campus WLAN CP v3.2.0.
Contact the Campus WLAN CP Team.
Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.
Campus WLAN Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov.
Download: Campus WLAN CP v3.2.0 Requirements Mappings to CNSSI-1253 Security Controls
Multi-Site Connectivity Capability Package
The Multi-Site Connectivity Capability Package (MSC CP) Version 1.3.0, dated 27 March 2026, has been approved by the Deputy National Manager (DNM) for National Security Systems. This CP describes a general MSC Solution to protect classified information as it travels across an untrusted network.
The solution supports interconnecting two or more networks operating at the same security level via two nested, independent encryption tunnels, where the security level encompasses the classification level, list of compartments, dissemination controls, and other such controls over information. The two encryption tunnels protecting a data flow can use either Internet Protocol Security (IPsec) generated by a Virtual Private Network (VPN) Gateway or Media Access Control Security (MACsec) generated by a MACsec Device. VPN Gateways and MACsec Devices are implemented as part of the network infrastructure. The solution provides sufficient flexibility to be applicable to many use cases of MSC implementations. This document supersedes the MSC CP Version 1.2.
Download the approved Multi-Site Connectivity Capability Package v1.3.0.
Contact the Multi-Site Connectivity CP Team.
Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.
Multi-Site Connectivity Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov.
Download: Multi-Site Connectivity CP v1.3.0 Mapped to CNSSI-1253 Security Controls
Data at Rest Capability Package
The Data-at-Rest Capability Package (DAR CP) Version 5.1.0, dated March 2026, has been approved by the Deputy National Manager (DNM) for National Security Systems. This CP provides a new solution design for DAR Devices utilizing Software (SW) Full Disk Encryption (FDE) the SWFDE/SWFDE Solution Design, guidance for implementing Virtualization with DAR devise, expansion of the option DAR Location-Based Services features for additional access restrictions, guidance for implementing CSfC solutions in a High Assurance GOTS environment, and expanding the use case where multi-factor authentication should be used within the DAR CP. This document supersedes the DAR CP Version 5.0.
Download the approved Approved DAR CP v5.1.0 - March 2026.
Contact the DAR CP Maintenance Team.
Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.
Data at Rest Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov.
Download: DAR CP 5.1 800-53 Control Mappings
Enterprise Gray Implementation Requirements Annex
The Enterprise Gray Implementation Annex Version 1.2.0, dated 27 March 2026, has been approved by the Deputy National Manager (DNM) for National Security Systems. This annex provides: techniques to deploy all three Data-in-Transit CPs (Mobile Access, Campus WLAN, and Multi-Site Connectivity) concurrently to reduce costs; guidance on remote management of Gray Management Services from a centralized location; routing protocols for enhanced scalability for large enterprise networks; and site survivability options to maintain access to classified resources. This document supersedes the Enterprise Gray Implementation Annex Version 1.1.1.
Download the approved Enterprise Gray Implementation Requirements Annex v1.2.0.
Contact the Enterprise Gray Team.
Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.
Enterprise Gray Implementation Requirements Annex Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov.
Download: Enterprise Gray Implementation Requirements Annex v1.2.0 Mapped to CNSSI-1253 Security Controls
Key Management Requirements Annex
The CSfC Key Management (KM) Requirements Annex 3.0.0, dated 27 March 2026, defines requirements and guidance for implementing the secure use of public key certificates for component authentication to establish the Outer and Inner encryption tunnels of CSfC solutions. CSfC Data-In Transit (DIT) solutions use asymmetric algorithms, as defined in the Commercial National Security Algorithm (CNSA) Suite, and X.509 certificates for component authentication to establish the Outer and Inner encryption tunnels. The updated version of this Annex incorporates the addition of objective CNSA 2.0 algorithms, clarification and updated verbiage for requirements related to Certificate Authority product selection and implementation, and role-based personnel requirements updates. This document supersedes the KM Requirements Annex Version 2.1.
Download the approved Key Management Requirements Annex v3.0.0.
Contact the Key Management Requirements Team.
Key Management Requirements Annex Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov.
Download: Key Management Requirements v3.0.0 Mapped to CNSSI-1253 Security Controls
Symmetric Key Management Requirements Annex
The CSfC Symmetric Key Management (SKM) Requirements Annex 3.0.0, dated 27 March 2026, defines additional requirements for implementing Symmetric KM capabilities defined in CSfC Capability Packages (CPs). It allows for the use of Symmetric Pre-Shared Keys to provide Quantum Resistant cryptographic protection of classified information in properly configured, maintained, and monitored CSfC solutions. The updated version of this Annex incorporates updated KGS deployment options, updated wording to improve and clarify PSK usage guidance for high availability solutions, updated KGS RNG requirement, and the addition of a KGS Approval Criteria Appendix. This document supersedes the SKM Requirements Annex Version 2.1.
Download the approved Symmetric Key Management Requirements Annex v3.0.0.
Contact the Key Management Requirements Team.
Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.
Symmetric Key Management Requirements Annex Annex Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov.
Download: Symmetric Key Management Annex v3.0.0 Requirements Mapping to CNSSI-1253 Security Controls
Wireless Intrusion Detection System/Wireless Intrusion Prevention System Requirements Annex
The Wireless Intrusion Detection System/Wireless Intrusion Prevention System (WIDS/WIPS) Annex Version 2.0.0 dated 5 March 2024, has been approved by the Deputy National Manager (DNM) for National Security Systems to provide guidance to customers on monitoring and protecting CSfC WLAN Access Systems and securing classified spaces through the use of WIDS and WIPS. This Annex applies to the Campus WLAN CP and the Mobile Access CP in a Government Private Wireless deployment. The CSfC WIDS/WIPS Annex covers secure deployment, management and configuration of WIDS and WIPS within CSfC solutions, which aim to simplify and enhance current security in monitoring wireless solutions.
Download the Wireless Intrusion Detection System/Wireless Intrusion Protection System Annex V2.0.0.
Contact the WIDS/WIPS team.
Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.
Wireless Intrusion Detection System/Wireless Intrusion Prevention System Requirements Annex Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov.
Download: Wireless Intrusion Detection System (WIDS)/Wireless Intrusion Prevention System (WIPS) Annex v1.0 Requirements Mapping to NIST SP 800-53 Security Controls.
Continuous Monitoring Annex
The Continuous Monitoring (CM) Annex Version 1.1.0, dated 02 March 2023, has been approved by the Deputy National Manager (DNM) for National Security Systems to provide guidance for the collection and analysis of network and security data to enable continuous monitoring within a deployed CSfC solution. CM is implemented as part of a holistic, risk management and defense-in-depth information security strategy integrated into CSfC architectures.
Download the Continuous Monitoring Annex V1.1.0.
Contact the Continuous Monitoring Team.
Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov.
Download: Continuous Monitoring Requirements Annex v1.1.0 Requirements Mapping to NIST SP 800-53 Security Controls.
Continuous Monitoring Annex 2.0.0 Draft 1
The CSfC Continuous Monitoring Annex 2.0.0 Draft 1, dated May 2025, defines additional requirements and guidance for implementing monitoring capabilities for usage within CSfC Capability Packages (CPs). This draft version introduces the monitoring for Dedicated Outer VPNs, Virtualized End User Devices, Mobile Device Managers (MDMs), new requirements across Monitoring Points (MPs) with respect to Zero Trust, Attestation and Automation capabilities, updated figures as well as other administrative changes. This document will supersede the Continuous Monitoring Annex v1.1.0 once finalized and approved.
Download: Continuous Monitoring Annex 2.0.0 Draft 1
Download: Continuous Monitoring Annex 2.0.0 Draft 1 Comments Matrix
Please send comments to CSFC_CM_Team@nsa.gov by 8/1/25.
Tactical Capability Package
The Tactical Capability Package Version 1.0.0, dated 1 July 2024, has been approved by the Deputy National Manager (DNM) for National Security Systems (NSS) to meet the need for CSfC customers operating on the Tactical edge. The CP has guidance for CSfC customers deploying portable network infrastructure within tactical edge or battle field environment using the Commercial National Security Algorithm (CNSA) Suite with National Information Assurance Partnership (NIAP) validated products to compose secure tactical solutions. For more information on this CP, please contact the CSfC PMO at csfc@nsa.gov. For technical questions contact Tactical_CP_Team@nsa.gov.
Tactical Capability Package 1.0.0 has been approved. For more information, contact the CSfC PMO at csfc@nsa.gov.
EUD Composition Guidance Addendum 1.0 Draft 1
The EUD Composition Guidance Addendum Version 1 Draft 1 describes a structural change to EUDs that clarifies the usage of technologies, product selections, and other changes within the MA, CWLAN, and DAR CPs. The following changes will be made to the overall CSfC program. Additional component will be added to the CSfC Components List to allow for this new change. Detail the usage of these new components on the CSfC Components List within MA, CWLAN, and DAR CPs. Using virtualization and other such software separation technologies within CSfC. Expand the usage of hardware separation within EUD. Clarify the deployment, usage, and approvals of Access CDS as EUDs within the CSfC Program. This Addendum is being provided as pre-decisional draft for the community comment and the final product of this document is a CP update to the relevant CPs.
Download: EUD Composition Guidance Addendum 1.0 Draft 1
Please send comments by 8/18/23 to Wi-Fi@nsa.gov alias.
Download: EUD Composition Addendum Draft 1 Comment Matrix
CSfC Post Quantum Cryptography Guidance Addendum 1.0 Draft.5
The CSfC Post Quantum Cryptography Guidance Addendum 1.0 Draft.5, dated 4 April 2025, is an Addendum to the CSfC Mobile Access (MA), Campus WLAN (CWLAN), Multi-Site Connectivity (MSC), and Data-at-Rest (DAR) CPs that conveys a structural change to encryption standards to clarify the usage of Post Quantum Cryptography (PQC) technologies, product selections, and other changes. This Addendum is provide to allow for the customer base and interested parties to comment on these changes before they are made within the above-mentioned CPs and released as minor increments to these CPs.
CSfC Post Quantum Cryptography Guidance Addendum 1.0 Draft.5
Download: CSfC Post Quantum Cryptography Guidance Addendum 1.0 Draft .5 Comment Matrix
Please send comments by 7/25/25 to CSfC_Key_Man_Req_Team@nsa.gov alias