- CSfC Capability Packages
- CSfC Solution Registration and Approval Process
- Commercial Component Developer Engagement
- Trusted Integrator Application
- Frequently Asked Questions
- Contact Information
Download the PDF Version Here
What is Commercial Solutions for Classified (CSfC)?
The National Security Agency (NSA) Commercial Solutions for Classified (CSfC) Program enables commercial products to be used in layered solutions leveraging industry innovation in order to protect classified National Security Systems (NSS) data. This provides the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not years.
NSA has developed, approved and published solution-level specifications called Capability Packages (CPs), and works with technical communities from across the industry, government, and academia to develop and publish product-level requirements in US Government Protection Profiles (PPs). CPs for Mobile Access (MA), Campus Wireless LAN, Multi-Site Connectivity (MSC) and Data at Rest (DAR) solutions are listed on the CSfC website.
The CSfC handbook serves as a quick reference guide for clients, Commercial Component Developers, and Trusted Integrators (TI). The information contained herein will help explain the processes for these stakeholders.
U.S. Government Client
Typical CSfC clients include Department of Defense, Intelligence Community, Military Services, and other Federal Agencies. These NSS stakeholders utilize CSfC’s CPs to rapidly implement commercial cybersecurity solutions to achieve their mission objectives.
TIs support NSS clients with the implementation of CSfC CPs. TIs specialize in architecting together CSfC components in accordance with the CSfC CPs to ensure secure and proper solution functionality. The NSA CSfC Program Management Office (CSfC PMO) provides criteria and processes to establish a common baseline for TIs. This enables the NSA and AOs/Designated Approving Authorities (DAAs) to assess the capabilities of solution integrators and accept their results. TIs that demonstrate compliance with these criteria and sign a Memorandum of Agreement (MoA) with NSA have the option to be listed as a CSfC TI. Learn more about Criteria for TIs.
Commercial Component Developer
Commercial component developers (i.e., vendors) who wish to have their products listed as CSfC approved components must build their products in accordance with the applicable U.S. Government/collaborative PPs and submit their products for evaluation using the Common Criteria Process. View the CSfC components list.
Authorizing Official/Designated Approving Authority (AO/DAA)
The AO/DAA is the official with the authority to formally assume responsibility for operating a system at an acceptable level of risk.
4. CSfC Capability Packages
Capabilities Packages are the foundation of the CSfC Program. These can be customized to the client’s needs in order to help them achieve their mission objectives. CPs provide designs that allow the client to independently implement secure solutions using approved layered Commercial Off-the-Shelf (COTS) products. These are vendor-agnostic and provide high-level security and configuration guidance for the client and/or TIs. CPs are updated biannually or as warranted.
Described below in sections 4.1 – 4.4 are the National Manager approved CPs.
4.1 Mobile Access (MA) CP
The Mobile Access CP describes how to protect classified data in MA solutions transiting wired networks, domestic cellular networks, and trusted wireless networks to include government private cellular networks and government private Wi-Fi networks.
An MA solution protects classified information as it travels across either an untrusted network or a network consisting of multiple classification levels. This solution supports connecting end-user devices (EUDs) to a classified network via two layers of encryption terminated on the EUD provided that the EUD and the network operate at the same security level.
An MA solution uses two nested, independent tunnels to protect the confidentiality and integrity of data (including voice and video) as it transits the untrusted network. This solution utilizes Internet Protocol Security (IPSec) as the outer tunnel and, depending on the solution design, IPsec or Transport Layer Security (TLS) as the inner layer of protection.
4.2 Campus Wireless Local Area Networks (WLAN) CP
The Campus WLAN CP meets the demand for commercial End User Devices (EUDs) (i.e., tablets, smartphones, and laptop computers) to access secure enterprise services over a campus wireless network. Cryptographic algorithms, known as Commercial National Security Algorithm (CNSA) Suite, are used to protect data using layers of Commercial off the Shelf (COTS) products. This solution enables the client to implement layered encryption between a secure network and EUDs.
This CP provides a reference architecture and corresponding configuration information that allows customers to select COTS products from the CSfC Components List for their Campus WLAN solution and then to properly configure those products to achieve a level of assurance sufficient for protecting classified data while in transit.
4.3 Multi-Site Connectivity CP (MSC)
The MSC CP describes a general MSC Solution to protect classified information as it travels across either an untrusted network or a network of a different security level. The solution supports interconnecting two or more networks operating at the same security level via encryption tunnels, where the security level encompasses the classification level, list of compartments, dissemination controls, and other such controls over information. The solution provides sufficient flexibility to be applicable to many use cases of MSC implementations.
The MSC solution uses two nested, independent encryption tunnels to protect the confidentiality and integrity of data as it transits the untrusted network. The two encryption tunnels protecting a data flow can use either IPsec generated by a Virtual Private Network (VPN) Gateway or Media Access Control Security (MACsec) generated by a MACsec Device. VPN Gateways and MACsec Devices are implemented as part of the network infrastructure.
4.4 Data at Rest (DAR) Solution CP
The DAR CP meets the demand for DAR solutions using the Commercial National Security Algorithm (CNSA) Suite. These algorithms are used to protect up to top secret data using layers of COTS products. The DAR CP enables the customers to implement two independent layers of encryption for the purpose of providing protection for stored information on the End User Device (EUD) or DAR protected system, while in a powered off or unauthenticated state.
This CP provides high-level reference designs and corresponding configuration requirements that allow customers to select COTS products from the CSfC Components List for their DAR solution and then to properly configure those products to achieve a level of assurance sufficient for protecting classified data while at rest.
5. CSfC Solution Registration and Approval Process
The flowchart below captures the overall CSfC approval process from the initial development/ publication of the CP to the final connection approval decision by the relevant AO/DAA.