Commercial Solutions for Classified (CSfC) is an important part of NSA's commercial cybersecurity strategy to deliver secure cybersecurity solutions leveraging commercial technologies and products to deliver cybersecurity solutions quickly. It is founded on the principle that properly configured, layered solutions can provide adequate protection of classified data in a variety of different applications. NSA has developed, approved, and published solution-level specifications called Capability Packages (CPs) and, through the National Information Assurance Partnership (NIAP), works with technical communities from across industry, government and academia to develop, maintain, and publish product-level security requirements called Protection Profiles (PPs). CPs for Mobile Access, Multi-Site Connectivity, Campus Wireless LAN, and Data at Rest solutions are now published on this site.
U.S. Government customers increasingly require immediate use of the market's most modern commercial hardware and software technologies within National Security Systems (NSS) in order to achieve mission objectives. Consequently, NSA has developed ways to leverage emerging technologies to deliver more timely cybersecurity solutions for rapidly evolving customer requirements.
NSA's CSfC Program was established to enable commercial products to be used in layered solutions protecting classified NSS data. This will provide the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not years.
View the Commercial Solutions for Classified Brochure (PDF)
View the Commercial Solutions for Classified Factsheet (PDF)
CNSS Policy on CSfC:
The Committee on National Security Systems
(CNSS) has issued a CSfC Advisory Memorandum that provides guidance to U.S. Government departments and agencies as to the responsibilities for maintaining the security posture of NSS using CSfC solutions.
Recommended Acquisition Language for Contracting Officers, Program Managers, Acquisition Officials:
To help ensure commercial component vendors meet CNSS Policy (CNSSP) No. 11 requirements, the following contractual language is recommended for procurements involving commercial technologies: Technologies for [Program X] shall be procured in accordance with CNSSP No. 11, "National Policy Governing the Acquisition of Information Assurance and IA-Enabled Information Technology Products." In addition, technologies shall be procured which have been validated by Common Criteria Testing Labs, in accordance with the National Information Assurance Partnership
(NIAP) Protection Profiles (PPs). Where a PP exists but the desired product has not been validated against it, [Program X] shall direct the desired vendor to have their product validated against the appropriate, corresponding PP. For NSS where classified data is being protected at rest or in transit by commercial products, technologies from the CSfC Components List shall be used, in accordance with NSA's published CSfC Capability Packages. Capability Packages and the CSfC Components List can be found by visiting the CSfC Components List page
. NIAP-validated products can be found at the NIAP website on the CCEVS Product Compliant List
The Future of CSfC
NSA protects the nation's most critical information and systems against cyber-attacks through hardening and defending the cyber infrastructure. This is accomplished by using the right tool for the right job when delivering encryption solutions to NSS customers, and this includes responsibly leveraging commercial technologies. CSfC continues to be an important component in NSA's commercial cybersecurity and assurance strategy.
CSfC Questions and Site Updates
Updates will be posted frequently to this site as the Commercial Solutions for Classified program continues to progress. If you wish to receive an email notification about updates to this website, please email us
, submit a web form
, or call our Client Contact Center at (410) 854-4200, this includes DoD/U.S. Government-related inquiries. Additional points of contact are below: