Information Assurance Menu

.
Skip Search Box

Commercial Solutions for Classified Program

ATTENTION CONTRACTING OFFICERS, PROGRAM MANAGERS, ACQUISITION OFFICIALS: To help ensure commercial component vendors meet CNSS Policy (CNSSP) No. 11 requirements, the following contractual language is recommended for procurements involving commercial technologies: Technologies for [Program X] shall be procured in accordance with CNSSP No. 11, "National Policy Governing the Acquisition of Information Assurance and IA-Enabled Information Technology Products." In addition, technologies shall be procured which have been validated by Common Criteria Testing Labs, in accordance with the National Information Assurance Partnership (NIAP) Protection Profiles (PPs). Where a PP exists but the desired product has not been validated against it, [Program X] shall direct the desired vendor to have their product validated against the appropriate, corresponding PP. For National Security Systems (NSS) where classified data is being protected at rest or in transit by commercial products, technologies from the Commercial Solutions for Classified (CSfC) Components List shall be used, in accordance with NSA's published CSfC Capability Packages. Capability Packages and the CSfC Components List can be found by visiting the CSfC Components List page. NIAP-validated products can be found at the NIAP website on the CCEVS Product Compliant List page.

Background

U.S. Government customers increasingly require immediate use of the market's most modern commercial hardware and software technologies within National Security Systems (NSS) in order to achieve mission objectives. Consequently, the National Security Agency/Central Security Service's (NSA/CSS) Information Assurance Directorate (IAD) is developing new ways to leverage emerging technologies to deliver more timely IA solutions for rapidly evolving customer requirements.

NSA/CSS's Commercial Solutions for Classified (CSfC) Program has been established to enable commercial products to be used in layered solutions protecting classified NSS data. This will provide the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not years.

Click to view Commercial Solutions for Classified Brochure (PDF).


What is the Process to get a Commercial Product CSfC-Listed?

Vendors who wish to have their products eligible as CSfC components of a composed, layered IA solution must build their products in accordance with the applicable US Government approved Protection Profile(s) and submit their product using the Common Criteria Process.

The vendor will enter into a Memorandum of Agreement (MoA) with NSA. The MoA specifies that the vendor’s product must be NIAP certified, FIPS certified, and that the vendor agrees to fix vulnerabilities in a timely fashion. The MoA may also reference technology-specific selections for NIAP testing.

Interested vendors must complete and submit the CSfC Questionnaire (PDF) for each product. Please submit completed questionnaires to csfc_components@nsa.gov.

Questions regarding CSfC components may be directed to csfc_components@nsa.gov.


An Update to the Manufacturer Diversity Requirement

The manufacturer diversity requirement for CSfC layered solutions has been modified to permit, subject to certain conditions, single-manufacturer implementations of both layers. The manufacturer must show sufficient independence in the code base and cryptographic implementations of the products used to implement each layer. To demonstrate this, a manufacturer must document the similarities and differences between the two products, to include cryptographic hardware components, software code base (i.e. operating system), software cryptographic libraries, and development teams. It is a fundamental requirement that the code bases of the two products be significantly different. Additionally, the vendor must document measures taken to ensure that supply chain risk is no greater than would be the case for products from two different vendors. NSA will review the information and determine whether the documentation is sufficient to meet the requirements for independent layers. Manufacturer diversity will continue to be accepted to constitute independent layers.

Vendors who wish to submit a statement may do so at csfc_components@nsa.gov.


CSfC Components List

Click here to download the CSfC Components List. Customers select products from this listing to satisfy the reference architectures and configuration information contained in published Capability Packages. Customers must ensure that the components selected will permit the necessary functionality for the selected architecture.

Components used in prototypes that are not NIAP-approved may be listed on the CSFC Components List provisionally until a US Government approved Protection Profile for the technology is available. Once the Protection Profile is available, a company has six months to enter into a MoA with NSA to remain listed as a CSfC component.

For some technologies, the CSfC program requires specific, selectable requirements to be included in the Common Criteria evaluation validating that the product complies with the applicable NIAP-approved protection profile(s). Some selections, which are not required for the product to be listed on the NIAP Product Compliant List, are mandatory selections for products that are to be listed on the CSfC Components List.

To see the selectable requirements, go to the CSfC Components List and click on the links for IPSec VPN Gateways, IPSec VPN Clients, WLAN Clients, WLAN Access Systems, Certificate Authorities, MDM, SW FDE, Mobile Platforms, SIP Servers and VoIP Applications.

Open source components may be listed, provided they have a responsible sponsor, and an NSA-approved plan for, taking a component through Common Criteria evaluation and sustainment of the component. Customers wishing to use open source components should contact csfc_components@nsa.gov with their evaluation and sustainment plans and the responsible parties for each.

Questions regarding the CSfC Components List may be directed to csfc_components@nsa.gov.


Protection Profiles are Published and in Development?

For a current listing of NIAP approved U.S. Government Protection Profiles, go to http://www.niap-ccevs.org/pp/.

For a listing of U.S. Government Protection Profiles currently in development, go to http://www.niap-ccevs.org/pp/draft_pps/.

Additional information about NIAP and the Common Criteria Evaluation and Validation Scheme can be found at http://www.niap-ccevs.org/.


What is a Capability Package?

NSA/CSS is developing sets of Capability Packages in order to provide our customers with ready access to the information needed to satisfy their operational requirements. Capability Packages contain product-neutral information that will allow customers/integrators to successfully implement their own solutions. Using the information in the Capability Package, customers/integrators make product selections while following the guidelines/restrictions to create an architecture with specific commercial products configured in a particular manner.

CSfC Capability Packages will provide sufficient guidance for accreditors to make informed decisions on whether solutions meet their mission and security requirements.


How can Customers/Integrators Implement a CSfC Capability Package?

For information or assistance in determining whether an approved Capability Package satisfies their requirements, U.S. Government customers (e.g., Department of Defense Components, Intelligence Community Organizations, and Federal Agencies) can engage NSA/CSS through their designated IAD Customer Advocates.

Integrators should coordinate through their U.S. Government customer points of contact.


How do Customers Register a CSfC Solution?

Customers will submit a compliance checklist and registration form to NSA (see below sections for forms specific to each Capability Package). The registration process includes the following steps:

  1. The customer completes the compliance checklist, detailing how their solution complies with the Capability Package, and submits the checklist to the Authorizing Official (AO).
  2. The customer tests the solution.
  3. The AO confirms after testing that the checklist is accurate and signs CSfC registration form.
  4. The AO submits registration form and compliance checklist to NSA.
  5. NSA provides letter acknowledging registration.
  6. The AO provides Authority to Operate (ATO).

NSA recommends that Authorizing Officials use the compliance checklists during their process for granting Interim Approval to Test.


Criteria for CSfC Integrators

Click here to download the updated criteria and application for CSfC Integrators. These criteria and processes are defined to provide a common baseline for CSfC solution integrators, enabling NSA, AOs/Designated Approving Authorities (DAAs) to assess the capabilities of solution integrators and accept their results. Interested integrators may submit their application to CSFC_Integrators@nsa.gov. Questions may be submitted to the same email address.

Click here to view the Commercial Solutions for Classified Program Trusted Integrator List

ATTENTION INTEGRATORS: While CSfC encourages industry innovation, trustworthiness of the components is paramount. Customers and their integrators are advised that modifying a NIAP-validated component in a CSfC solution may invalidate its certification and trigger a revalidation process. To avoid delays, customers or integrators who feel it is necessary to modify a component should engage the component vendor and consult NIAP through their Assurance Continuity process to determine whether such a modification will affect the component's certification. In case of a modification to a component, NSA's CSfC Program Management Office will require a statement from NIAP that the modification does not alter the certification, or the security, of the component. Modifications that will trigger the revalidation process include, but are not limited to: configuring the component in a manner different than its NIAP-validated configuration; and modifying the original equipment manufacturers' (OEM's) code (to include digitally signing the code).


The Future

Although NSA/CSS's strategy for protecting classified information continues to employ both commercially-based and traditional Government-Off-The-Shelf (GOTS) IA solutions, IAD will look first to commercial technology and commercial solutions in helping customers meet their needs for protecting classified information while continuing to support customers with existing GOTS IA solutions or needs that can only be met via GOTS.

Updates will be posted to this site as the Commercial Solutions for Classified program continues to progress. If you wish to receive an email notification about updates to this website, please email CSfC at csfc@nsa.gov.


Frequently Asked Questions

Click here to download the Non-Technical Frequently Asked Questions

Click here to download the Technical Frequently Asked Questions

CSfC Customer Handbook

Click here to download the Customer Handbook. This will serve as a guide for CSfC customers on how to use the Capability Packages, CSfC Component Listing, Registration, and Lifecycle Support resources.


General Questions

For general queries about the Commercial Solutions for Classified Program, email CSfC at csfc@nsa.gov.


Capability Packages

Mobile Access Capability Package

The Mobile Access (MA) Capability Package (CP) is intended to meet the demand for mobile solutions using approved cryptographic algorithms and National Information Assurance Partnership (NIAP) validated components to protect classified data using layers of Commercial off the Shelf (COTS) products. MA CP Version 0.8 is the initial release to provide customer requirements for domestic and international voice, video, and data capabilities from a mobile End User Device (EUD).  The MA CP Version 0.8 builds on the EUD designs of the Virtual Private Network (VPN) CP Version 3.0 as well as the Mobility Security Guide Version 2.3. 

NSA will not accept solution registrations against MA CP Version 0.8. The intent of this initial release is to solicit comments from customer and commercial industry stakeholders.  Feedback received by 12 January 2015 will be reviewed and incorporated where appropriate into Version 1.0 of the MA CP.  Customers will be able to register solutions against MA CP Version 1.0. 

Specifically, we are seeking customer, vendor and integrator feedback on several questions: click here for the MA CP questions.

Click here to download the public comment release of this Capability Package: Mobile Access Capability Package v0.8.

Click to download the Mobile Access CP v.08 Comment Matrix and Instructions. Please use this matrix for comments/suggestions.

The Information Assurance Directorate welcomes all comments.  Please send them to mobile_access@nsa.gov.

NSA will not accept solution registrations against MA CP Version 0.8. Customers will be able to register solutions against MA CP Version 1.0.  Updates to this CP will be posted to this site.


Campus WLAN Capability Package

The Campus IEEE 802.11 Wireless Local Area Network (WLAN) Version 1.1 Capability Package, dated 04 March 2014, has been approved by the IA Director. This Capability Package enables customers to meet the demand for commercial End User Devices (i.e., tablet and laptop computers) to access secure enterprise services over a campus wireless network. This Capability Package takes lessons learned from two proof-of-concept demonstrations which included the layered use of COTS products for the protection of classified information. This document is intended to be a living reference that will be reviewed twice a year to ensure that the defined architecture and other instructions still provide the required security services and robustness.
Users of this Capability Package are responsible for obtaining, under their organization's established accreditation and approval processes, certification and accreditation of the user's implementation of this Capability Package. Solutions designed according to this Capability Package must be registered with NSA/IAD. Once registered, a signed IAD Approval Letter will be provided validating that the Campus WLAN Capability Package represents a CSfC solution approved for protecting classified information.
Click here to download the approved Campus WLAN Version 1.1 Capability Package: Campus WLAN Capability Package (PDF)

IAD welcomes comments on the approved Campus WLAN Version 1.1 Capability Package, which can be sent to your NSA/IAD Client Advocate or the Campus WLAN Capability Package maintenance team at Wi-Fi@nsa.gov.

Updates to this Capability Package will be posted to this site. Check back frequently in order to keep up with the dynamic changes.

Campus WLAN Solution Registration

All CSfC Campus WLAN solutions operating on National Security Systems (NSS) or protecting NSS information need to be registered with NSA. In order to complete the solution registration form, you will need an assigned ID number. You can request this registration number by sending an email to csfc@nsa.gov.

All customers are required to submit a Campus WLAN compliance checklist with their registration form.  Please provide brief responses. 
Click here to download the Campus WLAN CP Compliance Checklist: Campus WLAN CP Compliance Checklist

Click here to download the Campus WLAN Solution Registration form: Campus WLAN Solution Registration Form

By signing the registration form the AO is either: asserting compliance with the published Campus WLAN CP and acknowledging/accepting the risk of fielding a CSfC solution; or acknowledging inclusion of a Campus WLAN CP Deviation Approval signed by NSA and acknowledging/accepting the risk of fielding a CSfC solution.

Completed registration forms and compliance checklists should be emailed to: csfc_register@nsa.gov.

If the form is classified, please contact the CSfC Program Management Office  for delivery instructions.


Archived Campus WLAN Capability Packages

NSA will not accept solution registrations against the following superseded Campus WLAN Capability Packages. CSfC customers should use the latest IAD-approved version of the Campus WLAN Capability Package.

Archived Capability Package Superseded By

Campus WLAN CP Version 0.8 (04 Oct 2012)
Campus WLAN CP Version 0.9 (14 Dec 2012) Campus WLAN CP Version 1.0 (20 Aug 2013)

Campus WLAN CP Version 1.1 (04 Mar 2014)

Virtual Private Network (VPN) Capability Package

Version 3.1 of the VPN Capability Package, dated 11 March 2015, has been approved by the IA Director. Version 3.1 contains corrected language concerning the ESP requirement. This Capability Package enables customers to implement VPNs between two or more sites and VPNs between fixed sites and End User Devices (EUDs). This Capability Package takes lessons learned from four proof-of-concept demonstrations that had implemented a set of Suite B algorithms, modes of operation, standards, and protocols. These demonstrations included a layered use of COTS products for the protection of classified information. This document is intended to be a living reference that will be reviewed twice a year to ensure that the defined architecture and other instructions still provide the required security services and robustness.

Users of this Capability Package are responsible for obtaining, under their organization's established accreditation and approval processes, certification and accreditation of the user's implementation of this Capability Package. Solutions designed according to this Capability Package must be registered with NSA/IAD. Once registered, a signed IAD Approval Letter will be provided validating that the VPN Capability Package represents a CSfC solution approved for protecting classified information.

Click here to download the approved VPN Capability Package v3.1: Virtual Private Network Capability Package v3.1.

IAD welcomes comments on the approved VPN Capability Package v3.1, which can be sent to your NSA/IAD Client Advocate or the VPN Capability Package maintenance team at VPN@nsa.gov.

Updates to this Capability Package will be posted to this site. Check back frequently in order to keep up with the dynamic changes.

VPN Solution Registration

All CSfC VPN solutions operating on National Security Systems (NSS) or protecting NSS information need to be registered with NSA. In order to complete the solution registration form, you will need an assigned ID number. You can request this registration number by sending an email to csfc@nsa.gov.

If the VPN solution has one infrastructure with multiple VPN end user devices, only one VPN registration form will need to be submitted. If the VPN solution is re-used at multiple locations, a separate VPN registration form for each location must be submitted.

All customers are required to submit a VPN compliance checklist with their registration form. Please provide brief, specific responses.

Click here to download the VPN CP Compliance Checklist: VPN CP Compliance Checklist.

Click here to download the VPN Solution Registration form: VPN Solution Registration Form.

By signing the registration form the AO is either: asserting compliance with the published VPN CP and acknowledging/accepting the risk of fielding a CSfC solution; or acknowledging inclusion of a VPN CP Deviation Approval signed by NSA and acknowledging/accepting the risk of fielding a CSfC solution.

Completed registration forms and compliance checklists should be emailed to: csfc_register@nsa.gov.

If the form is classified, please contact the CSfC PMO for delivery instructions.


Archived VPN Capability Packages

NSA will not accept solution registrations against the following superseded VPN Capability Packages. CSfC customers should use the latest IAD-approved version of the VPN Capability Package.

Archived Capability Package Superseded By
Multi-Site VPN CP Version 0.8 (14 Mar 2012)
Multi-Site VPN CP Version 1.0 (17 Aug 2012)
VPN CP Version 1.08 (04 Mar 2013)
VPN CP Version 2.00 (28 May 2013)
VPN CP Version 2.08 (19 Dec 2013)
VPN CP Version 3.1 (12 June 2014)
VPN CP Version 3.1 (11 March 2015)

Data at Rest Capability Package

The first CSfC data-at-rest document to be approved is the Data-at-Rest (DAR) Capability Package (CP) Version 1.0 to meet the demand for data-at-rest solutions using a Secure Sharing Suite (S3) of algorithms [NSA Suite B]. The goal for the DAR CP Version 1.0 solution is to protect classified data when the EUD is powered off or unauthorized. Unauthorized, in this case, means prior to a user presenting and having their credentials (e.g., password, tokens, etc.) validated by both layers of the DAR solution. Specific data to be protected must be determined by the data owner. Although the DAR solution designs can protect the confidentiality of data and render the EUD unclassified, it does not protect the integrity of an EUD outside of the control of approved users. Therefore, the NSA requires implementing organizations to define the circumstances in which an EUD that is part of the organization's solution is to be considered outside of the positive control of authorized users (i.e., "lost"). Authorizing Officials (AO) will define the circumstances for considering a device "lost" that aligns with the intended mission and threat environment for which the solution will be deployed. This CP is intended to be a living reference that will be updated to keep pace with technology and policies as they change over time, as additional security products and services are developed, and as lessons learned from early adopters of this architecture are applied.

Click here to download the approved DAR Capability Package: Data-at-Rest Capability Package v1.0.

Updates to this Capability Package will be posted to this site. Check back frequently in order to keep up with the dynamic changes.


Data at Rest Solution Registration

All CSfC DAR solutions operating on National Security Systems (NSS) or protecting NSS information need to be registered with NSA. In order to complete the solution registration form, you will need an assigned ID number. You can request this registration number by sending an email to csfc@nsa.gov.

All customers are required to submit a DAR compliance checklist with their registration form. Please provide brief, specific responses.

Click here to download the DAR CP Compliance Checklist: DAR CP Compliance Checklist

Click here to download the DAR Solution Registration form: DAR Solution Registration Form.

By signing the registration form the AO is either: asserting compliance with the published DAR CP and acknowledging/accepting the risk of fielding a CSfC solution; or acknowledging inclusion of a DAR CP Deviation Approval signed by NSA and acknowledging/accepting the risk of fielding a CSfC solution.

Completed registration forms and compliance checklists should be emailed to: csfc_register@nsa.gov.

If the form is classified, please contact the CSfC PMO for delivery instructions.


Archived DAR Capability Packages

NSA will not accept solution registrations against the following superseded DAR Capability Packages. CSfC customers should use the latest IAD-approved version of the DAR Capability Package.

Archived Capability Package Superseded By
DAR Version 0.8 CP (03 July 2014) DAR Version 1.0 (15 October 2014)

Capability Packages

What's in Development

NSA is currently updating and evolving its suite of Capability Packages. Releases forthcoming in the next few quarters include:

  • Mobile Access v1.0 Cellular and Trusted Hotspot (1Q CY–2015)– supersedes Mobility Security Guide 2.3 and includes DAR and to enable customer registration
  • Trusted Wireless User Access (2Q CY–2015) – evolution of WLAN/Campus WLAN CP; features a shared WPA2 layer
  • Secure Multisite Connectivity – extends VPN v3.0 to include MACSEC use cases and to enable secure high–speed connectivity

Go to NSA Mobility Program to download the Mobility Security Guide.


Updates

Date Item
20 Mar 2015 Updated the Virtual Private Network section and updated the Components List.
11 Mar 2015 Added new Trusted Integrator; Updated the Components list
04 Mar 2015 Added new Trusted Integrator; Added new section: TLS Software Applications and Updated Components List
18 Feb 2015 Updated Components List
28 Jan 2015 Added new section: Data At Rest Solution Registration ; Updated the Components List
22 Jan 2015 Updated the Data At Rest Capability Package section; Uploaded the Components List; and updated the Trusted Integrator List
08 Jan 2015 Updated the Data At Rest Capability Package section; Uploaded the approved DAR Capability Package; Created a new section "Archived VPN Capability Packages"; Updated the "Capability Packages - What's In Development" section.
23 Dec 2014 Updated the Components List
15 Dec 2014 Updated the CSfC Components List: Updated the Mobile Access Capability Package; and Updated the Encryption Capability Package Specification Document
10 Dec 2014 Updated landing page text; added a new Mobile Access Capability Package section; Updated Components List; and Updated Trusted Integrator List
02 Dec 2014 Updated Components List
25 Nov 2014 Updated Components List
18 Nov 2014 Added updated VPN & Campus WLAN registration forms; Updated Components List; Updated Trusted Integrator List; and updated landing page text
05 Nov 2014 Updated landing page text
27 Oct 2014 Updated Components List
23 Oct 2014 Updated Components List
07 Oct 2014 Established Trusted Integrator List; updated landing page text
01 Oct 2014 Added updated editable Compliance Checklists; updated Components List; established Archived Components List; updated landing page text
15 Sep 2014Updated Components List
04 Aug 2014 Added updated Compliance Checklists; added VPN Ver 3.0 CP; archived VPN Ver 2.0 CP and VPN Ver 2.08 CP; updated landing page text
28 Jul 2014Added Campus WLAN Ver 1.1 CP; updated landing page text
18 Jul 2014Added DAR Ver 1.0 CP; updated landing page text
26 Jun 2014Updated Components List
23 May 2014Updated integrator criteria section and document; updated brochure; updated compliance checklist text.
02 May 2014Added Campus WLAN and VPN Compliance Checklists; updated landing page text regarding registration, MoAs, and Integrator Criteria.
19 Feb 2014Added CSfC Components List Version 1.0; added VPN Version 2.08 CP, Comment Matrix and Instructions; updated landing text
23 Dec 2013Added Campus WLAN Version 1.0 CP; removed older Campus WLAN CP version; added VPN and Campus WLAN Solution Registration forms; updated landing text
05 Nov 2013Added Integrator Criteria; updated landing text
29 Aug 2013Added VPN Version 2.0 CP; removed older VPN CP versions; added Archived VPN section; updated landing text
13 May 2013Added VPN Version 1.08 CP Comment Matrix and Instructions; updated landing text
23 Apr 2013Added VPN Version 1.08 CP; updated landing page text
18 Apr 2013Added Brochure v2-5, Questionnaire v1.2
15 Feb 2013Added Campus WLAN Ver 0.9 CP; updated landing page text
29 Jan 2013Added VPN Version 1.0 CP and Customer Handbook; updated landing page text
05 Nov 2012Added Campus WLAN Ver 0.8 CP; updated landing page text
15 Jul 2012Added FAQ Responses; updated landing page text
15 May 2012Updated Tri-Fold and landing page text
21 Mar 2012Website established
 

Date Posted: Mar 21, 2012 | Last Modified: Mar 20, 2015 | Last Reviewed: Mar 20, 2015

 
bottom