Commercial Solutions for Classified Program (CSfC)
Attention CSfC Customers: Please ensure all submitted registration packages contain solution diagrams. Also, please advise us when you are deciding to implement a CSfC solution. We would like to ensure your solution can be registered as quickly as possible for approval. However, deviations discovered at the end of the process can be time-consuming for you and resource-intensive for NSA. Please email the CSfC team at firstname.lastname@example.org.
Commercial Solutions for Classified (CSfC) is an important part of NSA's commercial cybersecurity strategy to deliver secure cybersecurity solutions leveraging commercial technologies and products to deliver cybersecurity solutions quickly. It is founded on the principle that properly configured, layered solutions can provide adequate protection of classified data in a variety of different applications. NSA has developed, approved and published solution-level specifications called Capability Packages (CPs), and through the National Information Assurance Partnership (NIAP) works with Technical Communities from across industry, government and academia to develop, maintain and publish product-level security requirements called Protection Profiles (PPs). CPs for Mobile Access, Multi-Site Connectivity, Campus Wireless LAN, and Data at Rest solutions are now published on this site.
Points of Contact:
For general CSfC inquiries:
For Capability Package related inquiries:
Mobile Access CP
Campus WLAN CP
Multi-Site Connectivity CP
Data at Rest CP
To be included on CSfC updates:
For DoD/US Gov't customer inquiries:
U.S. Government customers increasingly require immediate use of the market's most modern commercial hardware and software technologies within National Security Systems (NSS) in order to achieve mission objectives. Consequently, the National Security Agency/Central Security Service (NSA/CSS) has developed ways to leverage emerging technologies to deliver more timely cybersecurity solutions for rapidly evolving customer requirements.
NSA/CSS's Commercial Solutions for Classified (CSfC) Program has been established to enable commercial products to be used in layered solutions protecting classified NSS data. This will provide the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not years.
Click to view Commercial Solutions for Classified Brochure (PDF).
Click to view Commercial Solutions for Classified Factsheet (PDF).
CNSS Policy on CSfC
The Committee on National Security Systems (CNSS) has issued a CSfC Advisory Memorandum that provides guidance to US Government Departments and Agencies as to the responsibilities for maintaining the security posture of National Security Systems using CSfC solutions.
Click here to go to the CNSS website.
Recommended Acquisition Language for Contracting Officers, Program Managers, Acquisition Officials:
To help ensure commercial component vendors meet CNSS Policy (CNSSP) No. 11 requirements, the following contractual language is recommended for procurements involving commercial technologies: Technologies for [Program X] shall be procured in accordance with CNSSP No. 11, "National Policy Governing the Acquisition of Information Assurance and IA-Enabled Information Technology Products." In addition, technologies shall be procured which have been validated by Common Criteria Testing Labs, in accordance with the National Information Assurance Partnership (NIAP) Protection Profiles (PPs). Where a PP exists but the desired product has not been validated against it, [Program X] shall direct the desired vendor to have their product validated against the appropriate, corresponding PP. For National Security Systems (NSS) where classified data is being protected at rest or in transit by commercial products, technologies from the Commercial Solutions for Classified (CSfC) Components List shall be used, in accordance with NSA's published CSfC Capability Packages. Capability Packages and the CSfC Components List can be found by visiting the CSfC Components List page. NIAP-validated products can be found at the NIAP website on the CCEVS Product Compliant List page.
NSA/CSS protects the nation's most critical information and systems against cyber-attacks through hardening and defending the cyber infrastructure. This is accomplished by using the right tool for the right job when delivering encryption solutions to NSS customers, and this includes responsibly leveraging commercial technologies. CSfC continues to be an important component in NSA's commercial cybersecurity and assurance strategy.
Updates will be posted frequently to this site as the Commercial Solutions for Classified program continues to progress. If you wish to receive an email notification about updates to this website, please email CSfC at email@example.com.