Skip Site Navigation
HomeResources For …EveryoneCommercial Solutions for Classified ProgramCapability Packages

Capability Packages

USG Customers: Please visit CSfC's JWICS or SIPRNet websites to download the current risk assessments, or contact the Client Contact Center to request a copy.

NSA welcomes comments on the approved Capability Packages, which can be sent to your NSA/IAC Client Advocate or the appropriate capability package maintenance team.

Updates to these Capability Packages will be posted to this site.

What is a Capability Package?

NSA/CSS is developing sets of Capability Packages in order to provide our customers with ready access to the information needed to satisfy their operational requirements. Capability Packages contain product-neutral information that will allow customers/integrators to successfully implement their own solutions. Using the information in the Capability Package, customers/integrators make product selections while following the guidelines/restrictions to create an architecture with specific commercial products configured in a particular manner.

CSfC Capability Packages will provide sufficient guidance for accreditors to make informed decisions on whether solutions meet their mission and security requirements. Each Capability Package has a classified Risk Assessment associated with it. Please visit CSfC's JWICS or SIPRNet websites to download the current risk assessments, or contact the Client Contact Center to request a copy.

How can Customers/Integrators Implement a CSfC Capability Package?

For information or assistance in determining whether an approved Capability Package satisfies their requirements, U.S. Government customers (e.g., Department of Defense Components, Intelligence Community Organizations, and Federal Agencies) can engage NSA/CSS through the IAC Client Contact Center.

Integrators should coordinate through their U.S. Government customer points of contact.

Mobile Access Capability Package

This CP provides high-level reference designs and corresponding configuration requirements that allow customers to select COTS products from the CSfC Components List, available on the CSfC web page, for their MA solution and properly configure those products to achieve a level of assurance sufficient for protecting classified data while in transit. As described in Section 11, customers must ensure that the components selected from the CSfC Components List will provide the necessary functionality for the selected capabilities. To successfully implement a solution based on this CP, all Threshold Requirements, or the corresponding Objective Requirements applicable to the selected capabilities, must be implemented, as described in Sections 10-12. Customers who want to use this CP must register their solution with the NSA. Additional information about the CSfC process is available on the CSfC web page.

This document, the CSfC MA CP Version 2.0, has been approved by the Deputy National Manager (DNM) for National Security Systems and will be reviewed twice a year to ensure that the defined capabilities and other instructions still provide the security services and robustness required to protect classified information. Solutions designed according to this CP must be registered with the NSA. Once registered, a Registration Acknowledgement Letter signed by the CSfC Director will be returned to registrant validating the specific MA solution as registered and in compliance with the requirements of the currently published MA CP. Solution registrations are valid for one year after which they must then be re-registered against the most recently published version of this CP. Top Secret solutions will be considered on a case-by-case basis.  Customers are encouraged to engage their Client Advocate or the CSfC Program Management Office (PMO) team early in the process to ensure the solutions are properly scoped, vetted, and that the customers have an understanding of risks and available mitigations.

Contact the Mobile Access CP Maintenance Team at

Download the approved Mobile Access Capability Package v2.0.

Campus WLAN Capability Package

The Campus Wireless Local Area Network (WLAN) Version 2.1 Capability Package, dated January 2018, has been approved by the Deputy National Manager for National Security Systems. This Capability Package enables customers to meet the demand for commercial End User Devices (i.e., tablets, smartphones and laptop computers) to access secure enterprise services over a campus wireless network. This document supersedes the Campus WLAN Version 2.0 Capability Package.

Users of this Capability Package are responsible for obtaining, under their organization's established accreditation and approval processes, certification and accreditation of the user's implementation of this Capability Package. Solutions designed according to this Capability Package must be registered with NSA. Once registered, a signed NSA Approval Letter will be provided validating that the Campus WLAN Capability Package represents a CSfC solution approved for protecting classified information.

Contact the Campus WLAN CP Maintenance Team at

Download the approved Campus WLAN Capability Package v2.1.

Multi-Site Connectivity Capability Package

Version 1.0 of the Multi-Site Connectivity (MSC) Capability Package (CP), dated 23 February 2017, has been approved by the Deputy National Manager for National Security Systems. This CP describes a general MSC Solution to protect classified information as it travels across either an untrusted network or a network of a different security level. The solution supports interconnecting two or more networks operating at the same security level via encryption tunnels, where the security level encompasses the classification level, list of compartments, dissemination controls, and other such controls over information. The solution provides sufficient flexibility to be applicable to many use cases of MSC implementations.

The MSC Solution uses two nested, independent encryption tunnels to protect the confidentiality and integrity of data as it transits the untrusted network. The two encryption tunnels protecting a data flow can use either Internet Protocol Security (IPsec) generated by a Virtual Private Network (VPN) Gateway or Media Access Control Security (MACsec) generated by a MACsec Device. VPN Gateways and MACsec Devices are implemented as part of the network infrastructure.

NOTE: The Virtual Private Network v3.2 CP has been archived. Registrations should be made against MSC v1.0 CP.

Contact the Multi-Site Connectivity CP Maintenance Team at

Download the Multi-Site Connectivity Capability Package v1.0.

Data at Rest Capability Package

The Data-at-Rest (DAR) Capability Package (CP) Version 4.0 enables customers to implement two independent layers of encryption for the purpose of providing protection for stored information using NSA approved cryptography while the End User Device (EUD) is powered off or in an unauthenticated state. Unauthorized, in this case, means prior to a user presenting and having their credentials (e.g., password, tokens, etc.) validated by both layers of the DAR solution. Specific data to be protected must be determined by the data owner. Although the DAR solution designs can protect the confidentiality of data and render the EUD unclassified, it does not protect the integrity of an EUD outside of the control of approved users. Therefore, the NSA requires implementing organizations to define the circumstances in which an EUD that is part of the organization's solution is to be considered outside of the positive control of authorized users (i.e., "lost"). Authorizing Officials (AO) will define the circumstances for considering a device "lost" that aligns with the intended mission and threat environment for which the solution will be deployed. This CP is intended to be a living reference that will be updated to keep pace with technology and policies as they change over time, as additional security products and services are developed, and as lessons learned from early adopters of this architecture are applied.

Contact the DAR CP Maintenance Team at

Download the approved Download the approved Data-at-Rest Capability Package v4.0

Enterprise Gray Implementation Requirements Annex Version 0.8

The Enterprise Gray Implementation Requirements Annex Version 0.8 introduces guidance that helps customers grow and expand their networks across geographically larger distances while leveraging their existing infrastructure and services to manage that growth. This annex references the three Data-in-Transit CPs (Campus Wireless Area Network, Mobile Access and Multi-Site Connectivity) using approved cryptographic algorithms and National Information Assurance Partnership evaluated components. The CSfC Enterprise Gray Implementation Requirements Annex provides cost effective techniques to deploy all three Data-in-Transit CPs at the same time using centralized certificate and Virtual Private Network (VPN) management. Selecting equipment with the ability to collapse into components for multi-use, allows customers to deploy multiple CPs simultaneously.

Feedback should be sent to

Download the Enterprise Gray Implementation Requirements Annex Version 0.8


Attention CSfC Customers: Please ensure all submitted registration packages contain solution diagrams. Also, please advise us when you are deciding to implement a CSfC solution. We would like to ensure your solution can be registered as quickly as possible for approval. However, deviations discovered at the end of the process can be time-consuming for you and resource-intensive for NSA. Please email the CSfC team at