19. What is a CP and what approved CPs are listed on the CSfC website?
Capability Packages (CPs) are solution-level specifications and the foundation of the CSfC Program. They are vendor-agnostic and provide high-level security and configuration guidance.
NSA uses a defense-in-depth approach using properly configured, layered solutions to provide adequate protection of classified data for a variety of different capabilities. CPs support this by providing high-level reference designs and corresponding configuration information. Clients can then select COTS products from the CSfC components list and properly configure those products. This results in a level of assurance sufficient for protecting classified and unclassified National Security Systems’ (NSS) data.
The National Manager approved capabilities are:
20. How often will Capability Packages (CPs) be changed, and how are the changes managed?
CPs are reviewed by NSA semi-annually and revised to keep on pace with changing technology and policies. CPs incorporate lessons learned from early adopters before additional security products and services are selected. Updates are driven by new client needs, technology advances, policies and problems encountered with the use of existing documents.
NSA retains responsibility for reviewing requests, identifying the need, and determining which changes will be implemented.
21. Who designs and approves the solution-level specifications for Capability Packages?
NSA designs, develops, approves and publishes solution-level specifications as Capability Packages (CP). These CPs provide the client with ready-access to the information needed to satisfy operational requirements.
In accordance with the Committee on National Security Systems (CNSS Policy 7), “Use of Commercial Solutions to Protect National Security Systems,” the Deputy National Manager (DNM) must approve CSfC CPs developed under the CSfC process. Furthermore, all CSfC solutions operating on, or protecting, NSS information must be registered with NSA.
Trusted Integrators (TIs) specialize in architecting together CSfC components in accordance with the CPs to ensure secure and proper solution functionality. They support NSS clients with the implementation of solution-level specifications outlined in the CPs. TIs do not approve the solutions.
22. Who are the POCs for the published CPs?
Questions regarding the CPs can be emailed to the specific Capability Package Maintenance Teams at the following:
- Mobile Access Capability Team: email@example.com
- Campus WLAN Capability Maintenance Team: firstname.lastname@example.org
- Multi-Site Capability Maintenance Team: email@example.com
- Data at Rest Capability Team: firstname.lastname@example.org
23. Where are the Deputy National Manager approved CPs located?
Current and approved CPs are listed on the CSfC webpage at: https://www.nsa.gov/resources/Commercial -Solutions-for-Classified/Capability-Packages
24. What is the difference between a “.8” and an “approved” version of a Capability Package? Can a client register a solution against .8 versions of CPs?
All solutions must be registered based upon the DNMs approved versions, which are clearly identified on the website. Clients cannot register solutions based on .8 versions. The .8 versions of the CPs are provided to initiate discussions and solicit feedback regarding possible additions to the CPs. NSA welcomes input and feedback. Opportunities to comment on .8 versions can be tracked via the CSfC Main Capability Package & Annex Schedule. To contribute to a CP/Annex in development, please contact the CSfC PMO at email@example.com.
25. What are the current approved CPs and how do they work?
A brief description of each of the current Capability Packages (CPs) follows:
- Mobile Access (MA CP)
- The MA CP describes a general mobile access solution that protects classified information as it travels across either an untrusted network or a network consisting of multiple classification levels. This includes protecting classified data transiting wired networks, domestic cellular networks, and trusted wireless networks to include government private cellular networks and government private Wi-Fi networks.
- This solution supports connecting End User Devices (EUDs) to a classified network via two layers of encryption terminated on the EUD, if the EUD and the network operate at the same security level. The MA solution uses two nested, independent tunnels to protect the confidentiality and integrity of data (including voice and video) as it transits the untrusted network. The MA solution utilizes IPsec as the outer tunnel and, depending on the solution design, IPsec or Transport Layer Security (TLS) as the inner layer of protection.
- Campus WLAN (WLAN CP)
- The WLAN CP enables the client to meet the demand for commercial End User Devices (EUDs) -- such as tablets, smartphones, and laptop computers -- to access secure enterprise services over a campus wireless network. The Campus WLAN CP enables the client to implement layered encryption between a secure network and an EUD.
- The WLAN CP provides a reference architecture and corresponding configuration information leveraging the list of COTS products from the CSfC Components List. Approved COTS devices will be used for the client’s Campus A wireless local area network (WLAN) solution which, when properly configured, will achieve a level of assurance sufficient for protecting classified data while in transit. Suite B algorithms use layers of COTS products to protect classified data.
- Multi-Site Connectivity (MSC CP)
- The MSC CP (sometimes referred to as “VPN 3.2 CP”) describes a general MSC solution to protect classified information as it travels across either an untrusted network or a network of a different security level. The solution supports interconnecting two or more networks operating at the same security level via encryption tunnels, where the security level encompasses the classification level, list of compartments, dissemination controls, and other such controls over information. The solution provides sufficient flexibility to be applicable to many use cases of MSC implementations.
- The MSC Solution uses two nested, independent encryption tunnels to protect the confidentiality and integrity of data as it transits the untrusted network. The two encryption tunnels protecting a data flow can use either Internet Protocol Security (IPsec) generated by a Virtual Private Network (VPN) Gateway or Media Access Control Security (MACsec) generated by a MACsec Device. VPN Gateways and MACsec Devices are implemented as part of the network infrastructure.
- Data at Rest Capability Package (DAR CP)
- The DAR CP enables customers to implement two independent layers of encryption for providing protection for stored information using NSA approved cryptography while the End User Device (EUD) is powered off or in an unauthenticated state (defined as prior to a user presenting credentials and being validated by both layers of the DAR solution). Specific data to be protected must be determined by the data owner.
- Although the DAR solution designs can protect the confidentiality of data and render the EUD unclassified, it does not protect the integrity of an EUD outside of the control of an approved user. Therefore, implementing organizations, as part of their solution, must define the circumstances in which an EUD is to be considered outside of the Positive Control of authorized users (i.e., "lost"). Authorizing Officials (AOs) will define the circumstances for considering a device outside of the Positive Control of an authorized user that aligns with the intended mission and threat environment for which the solution will be deployed.
26. Where can information about future direction and requirements for new/revised CPs be located?
Updates will be posted to the Coming Soon Page as new information becomes available. Also, any client wishing to receive email notifications about updates to this website may email the CSfC PMO at firstname.lastname@example.org with any questions. CSfC information is available at:
27. How can clients be more successful implementing solutions in compliance with CP requirements?
Clients can improve the likelihood of success for their solution implementation by utilizing the services of an experienced solution integrator. A list of approved Trusted Integrators is available at:
28. Does the client need to notify NSA if any changes are made to the solution implementation of the Capability Package?
Yes, if a Trusted Integrator or the client decides to make changes to a solution implementation that results in the solution no longer conforming to a current CP, the client must notify NSA.
29. What are Retransmission Devices (RDs)?
The government-owned RD is a category of devices that includes Wi-Fi hotspots and mobile routers. On the external side, the RD can be connected to any type of medium (e.g., cellular, Wi-Fi, SATCOM, Ethernet) to gain access to a Wide Area Network. On the internal side, the RD is connected to EUDs either through an Ethernet cable or Wi-Fi. When the RD is a Wi-Fi access point connected to the EUD (or multiple EUDs), the Wi-Fi network must implement Wi-Fi Protected Access II (WPA2) with Pre-Shared Key (PSK). The EUD must be configured to only permit connections to authorized RDs. RDs are only permitted to establish connectivity to the Black Network, and may not be placed between Outer Encryption Components and Inner Encryption Components. More information on RD specifications and requirements can be found by accessing the Mobile Access Capability Package (MA CP).
30. Since biometrics are optional, are there any plans for specific supplemental CSfC selections in this area?
While there are biometric details written into NIAP's MDF PP, there are currently no biometric selections for CSfC.
31. Will biometrics, if allowed, be limited to only the fingerprint template?
As specified in the Mobile Access Capability Package (MA CP 2.1, Section 4.4, Authentication): "The second factor will be a "something-you-have" factor manifesting as a physically separate token from the VPN EUD supplying a one-time password for the user to enter. For future versions of the MA CP, transferring this one-time password via a short-range RF communication will be explored. Allowing "something-you-are" (e.g. biometric) as a second factor is also being explored for future versions.
32. Who assumes responsibility for the inherent risk in Capability Package designs?
In CSfC, the overall risk of the solution is shared. The Deputy National Manager (DNM) for National Security Systems (NSS) assumes the inherent risk in the solution designs as specified in the published CPs. On the other hand, the Client's Authorizing Official (AO) is responsible for ensuring the fielded solution complies with the CP specifications and remains in compliance.
33. How does the alternative authentication mechanism apply with the DAR Solution? Is a primary authentication mechanism still needed?
Many products offer alternate authentication mechanisms. When implementing the DAR solution, these alternate mechanisms may be used only as a secondary (non-validated) authentication factor and must be paired with a primary authentication factor. Secondary factors may act as an additional access control or may contribute to the product’s key chain; the product’s protection profile evaluation guarantees there is no loss in strength when combining keys with potentially weaker sources.
34. What does Data at Rest (DAR) have to do with Diversity and Supply Chain?
Supply Chain and Diversity co-exist with DAR. Supply chain attacks may occur during development, production, updates, distribution, shipping, in storage, during operations or at disposal. For this reason, it is imperative that all components selected for use in CSfC solutions are subject to the applicable Supply Chain Risk Management (SCRM) process to reduce the risk of acquiring compromised components.
Diversity is applied by using multiple layers with components that meet the CSfC vendor diversity requirements. This reduces the likelihood that a single vulnerability can be exploited to reveal protected information. Each component selected from the CSfC Components List must go through a Product Supply Chain Risk Management (SCRM) Assessment to determine the appropriate mitigations for the intended application of the component per the organization’s AO-approved Product SCRM process.
35. How long does a client (Government Agency) have to comply with a newly released Capability Package (CP)?
Once a new version of a CP is published, the client may continue to operate up to re-registration. In accordance with CSfC policy, the client must comply with the new version upon re-registration. CSfC PMO will send out 120-day, 60-day and 30-day notifications of registration expirations to the client via email.
36. Who dictates the installation of patches for solution components for Capability Packages (CPs)?
Local policy dictates how the Security Administrator installs patches to Solution Components. This is to ensure that the latest patches and updates are applied to each product in a timely fashion. Critical patches shall be tested and subsequently applied to all components in the solution in accordance with local policy and the CPs.