HomeResources For …EveryoneCommercial Solutions for Classified ProgramCapability Packages

Capability Packages

USG Customers: Please visit CSfC's JWICS or SIPRNet websites to download the current risk assessments, or contact the Client Contact Center to request a copy.

NSA welcomes comments on the approved Capability Packages, which can be sent to your NSA Client Advocate or the appropriate capability package maintenance team.

Updates to these Capability Packages will be posted to this site.

Archived Capability Packages

Mobile Access Capability Package

Campus WLAN Capability Package

Multi-Site Connectivity Capability Package

Data at Rest Capability Package

Enterprise Gray Implementation Requirements Annex

Key Management Requirements Annex

Wireless Intrusion Detection System/Wireless Intrusion Prevention System Requirements Annex

What is a Capability Package?

NSA/CSS is developing sets of Capability Packages in order to provide our customers with ready access to the information needed to satisfy their operational requirements. Capability Packages contain product-neutral information that will allow customers/integrators to successfully implement their own solutions. Using the information in the Capability Package, customers/integrators make product selections while following the guidelines/restrictions to create an architecture with specific commercial products configured in a particular manner.

CSfC Capability Packages will provide sufficient guidance for accreditors to make informed decisions on whether solutions meet their mission and security requirements. Each Capability Package has a classified Risk Assessment associated with it. Please visit CSfC's JWICS or SIPRNet websites to download the current risk assessments, or contact the Client Contact Center to request a copy.

How can Customers/Integrators Implement a CSfC Capability Package?

For information or assistance in determining whether an approved Capability Package satisfies their requirements, U.S. Government customers (e.g., Department of Defense Components, Intelligence Community Organizations, and Federal Agencies) can engage NSA/CSS through the NSA Client Contact Center.

Integrators should coordinate through their U.S. Government customer points of contact.

Mobile Access Capability Package

This CP provides high-level reference designs and corresponding configuration requirements that allow customers to select COTS products from the CSfC Components List, available on the CSfC web page, for their MA solution and properly configure those products to achieve a level of assurance sufficient for protecting classified data while in transit. As described in Section 11, customers must ensure that the components selected from the CSfC Components List will provide the necessary functionality for the selected capabilities. To successfully implement a solution based on this CP, all Threshold Requirements, or the corresponding Objective Requirements applicable to the selected capabilities, must be implemented, as described in Sections 10-12. Customers who want to use this CP must register their solution with the NSA. Additional information about the CSfC process is available on the CSfC web page.

Version 2.1 of the Mobile Access Capability Package, dated 26 June 2018, has been approved by the Deputy National Manager (DNM) for National Security Systems and will be reviewed twice a year to ensure that the defined capabilities and other instructions still provide the security services and robustness required to protect classified information. Solutions designed according to this CP must be registered with the NSA. Once registered, a Registration Acknowledgement Letter signed by the CSfC Director will be returned to registrant validating the specific MA solution as registered and in compliance with the requirements of the currently published MA CP. Solution registrations are valid for one year after which they must then be re-registered against the most recently published version of this CP. Top Secret solutions will be considered on a case-by-case basis.  Customers are encouraged to engage their Client Advocate or the CSfC Program Management Office (PMO) team early in the process to ensure the solutions are properly scoped, vetted, and that the customers have an understanding of risks and available mitigations.  This document supersedes the Mobile Access Capability Package Version 2.0.

Contact the Mobile Access CP Maintenance Team at mobile_access@nsa.gov.

Download the approved Mobile Access Capability Package v2.1

Campus WLAN Capability Package

The Campus Wireless Local Area Network (WLAN) Version 2.2 Capability Package, dated 26 June 2018, has been approved by the Deputy National Manager for National Security Systems. This Capability Package enables customers to meet the demand for commercial End User Devices (i.e., tablets, smartphones and laptop computers) to access secure enterprise services over a campus wireless network. This document supersedes the Campus WLAN Version 2.1 Capability Package.

Users of this Capability Package are responsible for obtaining, under their organization's established accreditation and approval processes, certification and accreditation of the user's implementation of this Capability Package. Solutions designed according to this Capability Package must be registered with NSA. Once registered, a signed NSA Approval Letter will be provided validating that the Campus WLAN Capability Package represents a CSfC solution approved for protecting classified information.

Contact the Campus WLAN CP Maintenance Team at Wi-Fi@nsa.gov.

Download the approved Campus WLAN Capability Package v2.2

Multi-Site Connectivity Capability Package

Version 1.1 of the Multi-Site Connectivity (MSC) Capability Package, dated 26 June 2018, has been approved by the Deputy National Manager for National Security Systems. This CP describes a general MSC Solution to protect classified information as it travels across either an untrusted network or a network of a different security level. The solution supports interconnecting two or more networks operating at the same security level via encryption tunnels, where the security level encompasses the classification level, list of compartments, dissemination controls, and other such controls over information. The solution provides sufficient flexibility to be applicable to many use cases of MSC implementations. This document supersedes the Multi-Site Connectivity Capability Package Version 1.0.

The MSC Solution uses two nested, independent encryption tunnels to protect the confidentiality and integrity of data as it transits the untrusted network. The two encryption tunnels protecting a data flow can use either Internet Protocol Security (IPsec) generated by a Virtual Private Network (VPN) Gateway or Media Access Control Security (MACsec) generated by a MACsec Device. VPN Gateways and MACsec Devices are implemented as part of the network infrastructure.

Contact the Multi-Site Connectivity CP Maintenance Team at msc_cp@nsa.gov.

Download the approved Multi-Site Connectivity Capability Package v1.1.

Data at Rest Capability Package

Version 4.0 of the Data-at-Rest (DAR) Capability Package, dated January 2018, enables customers to implement two independent layers of encryption for the purpose of providing protection for stored information using NSA approved cryptography while the End User Device (EUD) is powered off or in an unauthenticated state. Unauthorized, in this case, means prior to a user presenting and having their credentials (e.g., password, tokens, etc.) validated by both layers of the DAR solution. Specific data to be protected must be determined by the data owner. Although the DAR solution designs can protect the confidentiality of data and render the EUD unclassified, it does not protect the integrity of an EUD outside of the control of approved users. Therefore, the NSA requires implementing organizations to define the circumstances in which an EUD that is part of the organization's solution is to be considered outside of the positive control of authorized users (i.e., "lost"). Authorizing Officials (AO) will define the circumstances for considering a device "lost" that aligns with the intended mission and threat environment for which the solution will be deployed. This CP is intended to be a living reference that will be updated to keep pace with technology and policies as they change over time, as additional security products and services are developed, and as lessons learned from early adopters of this architecture are applied.

Contact the DAR CP Maintenance Team at csfc_dar_team@nsa.gov.

Download the approved Data-at-Rest Capability Package v4.0


Note: The Data-at-Rest v4.8 Draft dated October 2019 provides two new use-cases for Enterprise Management (EM) and Unattended Operations (UO), a new solution design for Hardware FDE/Hardware FDE (HH), and optional DAR location-based service feature for additional access restriction, and guidance for implementing CSfC solutions in a High Assurance GOTS environment.  This draft document is being posted to solicit external review, comment and feedback.  Comments should be entered on the provided comment matrix with a rationale for each comment.  Of particular interest to the DAR Team are any specific comments regarding interest/applicability of the HH solution design, and ideas/examples on the implementation of EM and OU use-cases.  Further details on these areas of interest can be found in the posted comment matrix.

Please send comments to csfc_dar_team@nsa.gov by 05 December 2019.

Download the draft Data-at-Rest v4.8 CP.

Download the Comment Matrix and Instructions.

NOTE: Solutions cannot be registered against this draft design. All solution registrations must be against the approved DAR v4.0 CP. 


Enterprise Gray Implementation Requirements Annex

The Enterprise Gray Implementation Requirements Annex Version 1.0 provides guidance that helps customers grow and expand their networks across geographically larger distances while leveraging their existing infrastructure and services to manage that growth. This annex references the three Data-in-Transit CPs (Campus Wireless Area Network, Mobile Access and Multi-Site Connectivity) using approved cryptographic algorithms and National Information Assurance Partnership evaluated components. The CSfC Enterprise Gray Implementation Requirements Annex provides cost effective techniques to deploy all three Data-in-Transit CPs at the same time using centralized certificate and Virtual Private Network (VPN) management. Selecting equipment with the ability to collapse into components for multi-use, allows customers to deploy multiple CPs simultaneously.

Feedback should be sent to Enterprise_Gray_team@nsa.gov.

Download the Enterprise Gray Implementation Requirements Annex Version 1.0

Key Management Requirements Annex

The Key Management Requirements Annex Version 1.0 has been developed and approved by the National Manager as a commercial strategy suitable for protecting classified information and National Security Systems provided the user’s implementation of the solution is configured, maintained and monitored as required by the published Capability Packages (CPs).  The CPs for Mobile Access, Campus WLAN and Multi-Site Connectivity have been updated to reflect the new Key Management Requirements Annex.  Previously, the Data at Rest CP was updated to reflect the Key Management Requirements Annex. 

Feedback should be sent to Key_Man_Req_Team@nsa.gov.

Download the approved Key Management Requirements Annex v1.0

Wireless Intrusion Detection System/Wireless Intrusion Prevention System Requirements Annex

The Wireless Intrusion Detection System/Wireless Intrusion Prevention System (WIDS/WIPS) Annex Version 0.8 provides guidance to customers on monitoring and protecting CSfC WLAN Access Systems and securing classified spaces through the use of WIDS and WIPS.  This Annex will apply to the Campus WLAN CP and the Mobile Access CP in a Government Private Wireless deployment.  The CSfC WIDS/WIPS Annex covers secure deployment, management and configuration of WIDS and WIPS within CSfC solutions, which aim to simplify and enhance current security in monitoring wireless solutions.

The WIDS/WIPS Annex v0.8 is the draft, and is posted to solicit external review, comments and feedback.  Comments should be filled out per the comment matrix with a rationale for each comment.    

Please send comments to CSfC_WIDS_team@nsa.gov by 05 December 2019.

Download the WIDS/WIPS Annex Version 0.8

Download the WIDS/WIPS Comment Matrix and Instructions.

Attention CSfC Customers: Please ensure all submitted registration packages contain solution diagrams. Also, please advise us when you are deciding to implement a CSfC solution. We would like to ensure your solution can be registered as quickly as possible for approval. However, deviations discovered at the end of the process can be time-consuming for you and resource-intensive for NSA. Please email the CSfC team at csfc_register@nsa.gov.