Capability Packages

U.S. Government CustomersPlease visit CSfC's JWICS or SIPRNet websites to download the current risk assessments, or contact the Client Contact Center to request a copy.


NSA welcomes comments on the approved Capability Packages, which can be sent to your NSA Client Advocate or the appropriate capability package maintenance team. Updates to these Capability Packages will be posted to this site.

Archived Capability Packages

Mobile Access Capability Package

Campus WLAN Capability Package

Multi-Site Connectivity Capability Package

Data at Rest Capability Package

Enterprise Gray Implementation Requirements Annex

Key Management Requirements Annex

Symmetric Key Management Requirements Annex

Wireless Intrusion Detection System/Wireless Intrusion Prevention System Requirements Annex

Continuous Monitoring Annex
 


What is a Capability Package?

NSA/CSS is developing sets of Capability Packages in order to provide our customers with ready access to the information needed to satisfy their operational requirements. Capability Packages contain product-neutral information that will allow customers/integrators to successfully implement their own solutions. Using the information in the Capability Package, customers/integrators make product selections while following the guidelines/restrictions to create an architecture with specific commercial products configured in a particular manner.

CSfC Capability Packages will provide sufficient guidance for accreditors to make informed decisions on whether solutions meet their mission and security requirements. Each Capability Package has a classified Risk Assessment associated with it. Please visit CSfC's JWICS or SIPRNet websites to download the current risk assessments, or contact the Client Contact Center to request a copy.

How can Customers/Integrators Implement a CSfC Capability Package?

For information or assistance in determining whether an approved Capability Package satisfies their requirements, U.S. Government customers (e.g., Department of Defense Components, Intelligence Community Organizations, and Federal Agencies) can engage NSA through the NSA Client Contact Center.

Integrators should coordinate through their U.S. Government customer points of contact.

The following is the version naming scheme for the Commercial Solutions for Classified (CSfC) Capability Packages (CPs) and CP Annexes. It communicates the status, types of updates, types of changes, etc. to stakeholders by using a defined and documented naming convention. 
Capability Package and Annex (CP/Annex) Versioning Scheme
 



Mobile Access Capability Package

The Mobile Access Capability Package (MA CP) Version 2.5, dated 04 August 2021, has been approved by the Deputy National Manager (DNM) for National Security Systems to meet the demand for mobile data in transit solutions using the Commercial National Security Algorithm (CNSA) Suite with National Information Assurance Partnership (NIAP) validated products to compose secure mobile solutions.  This versions provides enhanced isolation requirements in the form of new virtualization (i.e., software-based Wi-Fi driver and inner/outer VPN tunnel) and Hardware Retransmission Device requirements.  Other significant enhancements include incorporation of the Continuous Monitoring Annex V1.0 and the Wireless Intrusion Detection System/Wireless Intrusion Prevention System (WIDS/WIPS) Annex Version 1.0.  This document supersedes the MA CP Version 2.1.

The Mobile Access Capability Package (MA CP) Version 2.5.1 addresses administrative changes.

Download the approved Mobile Access Capability Package V2.5.1.

Contact the Mobile Access CP Team.

Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.

Mobile Access Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov
Download: Mobile Access CP Solution Registration Form
Download: Mobile Access CP Requirements Mapped to CNSSI-1253 Security Controls
 


Campus WLAN Capability Package

The Campus Wireless Local Area Network Capability Package (Campus WLAN CP) Version 3.0, dated 04 May 2022, has been approved by the Deputy National Manager (DNM) for National Security Systems to meet the demand for commercial End User Devices (EUD) (tablets, smartphones, and laptop computers) to access secure enterprise services over a campus wireless network.  This version provides new updates such as the addition of the WPA3 standard, client virtualization requirements, multifactor authentication requirements, an appendix for WLAN tactical use cases, and improved administrative updates. This document supersedes the Campus WLAN CP Version 2.3

Download the approved Campus WLAN Capability Package V3.0.

Contact the Campus WLAN CP Team.

Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.

Campus WLAN Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov
Download: Campus WLAN CP Solution Registration Form
Download: Campus WLAN CP Requirements Mapped to CNSSI-1253 Security Controls
 


Multi-Site Connectivity Capability Package

The Multi-Site Connectivity Capability Package (MSC CP) Version 1.1, dated 26 June 2018, has been approved by the Deputy National Manager (DNM) for National Security Systems. This CP describes a general MSC Solution to protect classified information as it travels across either an untrusted network or a network of a different security level. The solution supports interconnecting two or more networks operating at the same security level via two nested, independent encryption tunnels, where the security level encompasses the classification level, list of compartments, dissemination controls, and other such controls over information. The two encryption tunnels protecting a data flow can use either Internet Protocol Security (IPsec) generated by a Virtual Private Network (VPN) Gateway or Media Access Control Security (MACsec) generated by a MACsec Device. VPN Gateways and MACsec Devices are implemented as part of the network infrastructure. The solution provides sufficient flexibility to be applicable to many use cases of MSC implementations. This document supersedes the MSC CP Version 1.0.

Download the approved Multi-Site Connectivity Capability Package V1.1.

Contact the Multi-Site Connectivity CP Team.

Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.

Multi-Site Connectivity Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov
Download: Multi-Site Connectivity CP Solution Registration Form
Download: Multi-Site Connectivity CP Requirements Mapped to CNSSI-1253 Security Controls
 


Data at Rest Capability Package

The Data-at-Rest Capability Package (DAR CP) Version 5.0, dated November 2020, has been approved by the Deputy National Manager (DNM) for National Security Systems.  This CP provides two new use-cases for Enterprise Management (EM) and Unattended Operations (UO), a new solution design for Hardware FDE/Hardware FDE (HH), and optional DAR Location-Based Services features for additional access restriction, and guidance for implementing CSfC solutions in a High Assurance GOTS environment.  Although the DAR solution designs can protect the confidentiality of data and render the EUD unclassified, it does not protect the integrity of an EUD outside of the control of approved users. Therefore, the NSA requires implementing organizations to define the circumstances in which an EUD that is part of the organization's solution is to be considered outside of the positive control of authorized users (i.e., "lost"). Authorizing Officials (AO) will define the circumstances for considering a device "lost" that aligns with the intended mission and threat environment for which the solution will be deployed. This document supersedes the DAR CP Version 4.0.

Download the approved Data-at-Rest Capability Package V5.0.

Contact the DAR CP Maintenance Team.

Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.

Data at Rest Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov.
Download: Data at Rest CP Solution Registration Form
Download: Data at Rest CP Requirements Mapped to CNSSI-1253 Security Controls
 


Enterprise Gray Implementation Requirements Annex

 

The Enterprise Gray Implementation Annex Version 1.1, dated 19 May 2022, has been approved by the Deputy National Manager (DNM) for National Security Systems.  This annex provides: techniques to deploy all three Data-in-Transit CPs (Mobile Access, Campus WLAN, and Multi-Site Connectivity) concurrently to reduce costs; guidance on remote management of Gray Management Services from a centralized location; routing protocols for enhanced scalability for large enterprise networks; and site survivability options to maintain access to classified resources. This document supersedes the Enterprise Gray Implementation Annex Version 1.0.

Download the approved Enterprise Gray Implementation Requirements Annex V1.1.

Contact the Enterprise Gray Team.

Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.

Enterprise Gray Implementation Requirements Annex Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov
Download: Enterprise Gray Implementation Requirements Mapped to CNSSI-1253 Security Controls
 


Key Management Requirements Annex

The Key Management (KM) Requirements Annex Version 2.1, dated May 2022, has been approved by the Deputy National Manager (DNM) for National Security Systems.  The requirements outlined within have been demonstrated suitable for protecting classified information and National Security Systems, provided the implementation of the solution is configured, maintained and monitored as required by the published Capability Packages (CPs).  The updated version of this annex incorporates relocated KM product selection requirements from all Data-In-Transit CSFC Capability Packages (CPs), relocated and updated KM role-based personnel requirements from all CSfC CPs, additional requirements to improve separation of inner and outer Public Key Infrastructures (PKIs), Password/Passphrase Strength Parameters appendix from DAR CP, relocated and updated Enterprise Gray KM requirements from CSfC Enterprise Gray Implementation Requirements Annex, and additional Certification Authorities deployment options figures. This document supersedes the KM Requirements Annex Version 2.0. The Key Management (KM) Requirements Annex Version 2.1, dated May 2022, has been approved by the Deputy National Manager (DNM) for National Security Systems.  The requirements outlined within have been demonstrated suitable for protecting classified information and National Security Systems, provided the implementation of the solution is configured, maintained and monitored as required by the published Capability Packages (CPs). The updated version of this annex incorporates relocated KM product selection requirements from all Data-In-Transit CSFC Capability Packages (CPs), relocated and updated KM role-based personnel requirements from all CSfC CPs, additional requirements to improve separation of inner and outer Public Key Infrastructures (PKIs),Password/Passphrase Strength Parameters appendix from DAR CP, relocated and updated Enterprise Gray KM requirements from CSfC Enterprise Gray Implementation Requirements Annex, and additional Certification Authorities deployment options figures. This document supersedes the KM Requirements Annex Version 2.0.

Download the approved Key Management Requirements Annex V2.1.

Contact the Key Management Requirements Team.

Key Management Requirements Annex Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov.
Download: Key Management Requirements Mapped to CNSSI-1253 Security Controls
 


Symmetric Key Management Requirements Annex

The Symmetric Key Management (KM) Requirements Annex Version 2.1, dated May 2022, has been approved by the Deputy National Manager (DNM) for National Security Systems.  This annex defines additional requirements for implementing Symmetric KM capabilities defined in CSfC Capability Packages (CPs).  It allows for the use of Symmetric Pre-Shared Keys to provide quantum resistant cryptographic protection of classified information in properly configured, maintained and monitored CSfC solutions. The updated version of this annex incorporates updated KGS product selection criteria, updated wording to improve and clarify PSK usage guidance, updated IPSec with RFC 8784-compliant implementations of IKE v2 PSK usage requirements, updated outer PSK classification requirement, and role-based personnel requirements. This document supersedes the SKM Requirements Annex Version 2.0.

Download the approved Symmetric Key Management Requirements Annex V2.1.

Contact the Key Management Requirements Team.

Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.

Symmetric Key Management Requirements Annex Annex Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov.
Download: Symmetric Key Management Annex v2.1 Requirements Mapping to NIST SP 800-53 Security Controls.

 

Wireless Intrusion Detection System/Wireless Intrusion Prevention System Requirements Annex

The Wireless Intrusion Detection System/Wireless Intrusion Prevention System (WIDS/WIPS) Annex Version 1.0, dated February 2021, has been approved by the Deputy National Manager (DNM) for National Security Systems to provide guidance to customers on monitoring and protecting CSfC WLAN Access Systems and securing classified spaces through the use of WIDS and WIPS.  This Annex applies to the Campus WLAN CP and the Mobile Access CP in a Government Private Wireless deployment.  The CSfC WIDS/WIPS Annex covers secure deployment, management and configuration of WIDS and WIPS within CSfC solutions, which aim to simplify and enhance current security in monitoring wireless solutions.

Download the Wireless Intrusion Detection System/Wireless Intrusion Protection System Annex V1.0.

Contact the WIDS/WIPS team

Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.

Wireless Intrusion Detection System/Wireless Intrusion Prevention System Requirements Annex Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov
Download: Wireless Intrusion Detection System (WIDS)/Wireless Intrusion Prevention System (WIPS) Annex v1.0 Requirements Mapping to NIST SP 800-53 Security Controls.

The CSfC Wireless Intrusion Detection System/Wireless Intrusion Prevention System (WIDS/WIPS) Annex 2.0.0 draft 1 has been drafted and is intended to solicit review and comments from the public.  The WIDS/WIPS Annex 2.0.0 draft 1 expanded the extended detection requirements to include areas such as cellular and Bluetooth protocols, changes to monitoring WPA3 to align with the updated WLAN CP v3.0, and improved administrative updates based on stakeholder feedback.
 
Download the WIDS/WIPS Annex 2.0.0 draft 1 here.
Download the comment matrix and instructions here.

Please fill out the comment matrix and send comments to CSfC_WIDS_team@nsa.gov by 2022 July 13.

NOTE: Solutions cannot be registered against this draft design. All solution registrations must be against the approved WIDS/WIPS Annex v1.0.


Continuous Monitoring Annex

The Continuous Monitoring (CM) Annex Version 1.0, dated 04 August 2021, has been approved by the Deputy National Manager (DNM) for National Security Systems to provide guidance for the collection and analysis of network and security data to enable continuous monitoring within a deployed CSfC solution.  CM is implemented as part of a holistic, risk management and defense-in-depth information security strategy integrated into CSfC architectures.

Download the Continuous Monitoring Annex V1.0.

Contact the Continuous Monitoring Team.

Applicable Forms: NSA provides downloadable resources for assistance with the CSfC process.

Key Management Requirements Annex Solution Registration:
To request a copy of the Compliance Checklist Workbook, please contact csfc@nsa.gov.
Download: Continuous Monitoring Requirements Annex v1.0 Requirements Mapping to NIST SP 800-53 Security Controls.