While CSfC encourages industry innovation, trustworthiness of the components is paramount. Customers and their integrators are advised that modifying a NIAP-validated component in a CSfC solution may invalidate its certification and trigger a revalidation process. To avoid delays, customers or integrators who feel it is necessary to modify a component should engage the component vendor and consult NIAP through their Assurance Continuity
process to determine whether such a modification will affect the component's certification. In case of a modification to a component, NSA's CSfC Program Management Office will require a statement from NIAP that the modification does not alter the certification, or the security, of the component. Modifications that will trigger the revalidation process include, but are not limited to: configuring the component in a manner different than its NIAP-validated configuration; and modifying the original equipment manufacturers' (OEM's) code (to include digitally signing the code).
Criteria for CSfC Integrators
Criteria and processes are defined to provide a common baseline for CSfC solution integrators, enabling NSA, AOs/Designated Approving Authorities (DAAs) to assess the capabilities of solution integrators and accept their results. Interested integrators may ask questions or submit their application by email
Download the updated criteria and application for CSfC Integrators