Almost every major piece of federal IT modernization policy the Trump administration has issued, from the Report to the President on Federal IT Modernization to the President’s Management Agenda, emphasized the importance of embracing commercial technology solutions to drive innovation across the government.
The PMA specifically calls for reducing cybersecurity risks to the federal mission “by leveraging current commercial capabilities and implementing cutting edge cybersecurity capabilities.”
For Defense Department components, intelligence agencies and other agencies that deal with classified information, the imperative to adopt commercial tools often clashes with the need to ensure the strongest possible network security. However, that’s where the National Security Agency’s Commercial Solutions for Classified program can come in handy.
The CSfC program, which got off the ground in 2016, certifies commercial network solutions that agencies can use to create secure, encrypted networks. The program is designed to enable commercial products for use in layered solutions protecting classified National Security Systems data. The goal, the NSA says, is to give agencies the ability “to securely communicate based on commercial standards in a solution that can be fielded in months, not years.”
The program delivers solutions to agencies that allow them to streamline their IT footprints while providing security. This allows agencies to cut costs and makes it easier for analysts and others who monitor networks and protect data to do their jobs.
What Is the NSA’s CSfC Program?
As a FAQ from the NSA notes, the program is NSA’s “commercial strategy for leveraging industry innovation to deliver Information Assurance (IA) solutions efficiently and securely.” The NSA believes that “properly configured, layered solutions can provide adequate protection of classified data in a variety of different applications,” and agency policy mandates CSfC as the first option to be considered to satisfy an IA requirement.
Typical CSfC clients include the DOD, the intelligence community, military service branches and other federal agencies that deal with NSS.
By leveraging commercially based and traditional “government off-the-shelf” (GOTS) IA solutions, the program allows agencies to use the right tools for the right job to protect classified information, according to the NSA.
The NSA has developed, approved and published solution-level specifications called Capability Packages, or CP, for the program, and works with technical communities from across industry, governments and academia to develop product-level requirements called U.S. government Protection Profiles.
Customers can register their solution with the NSA “by leveraging the CSfC process to build and test in accordance with the approved CP and selecting components from the CSfC Components List.” Agencies and their integrator partners will follow the specifications and use the information in a CP to “make product selections to create an architecture with specific commercial products configured in a particular manner,” according to the NSA.
The Benefits of the NSA’s CSfC Program
For agencies that need to protect classified data and want to use commercial solutions to do so, the program offers numerous built-in assurance features, as the NSA notes.
All of the solutions that are accepted into the program are designed and approved by the NSA, and there is a cadre of NSA-vetted, trusted system integrators available for agencies to work with to implement the solutions. All of the products in the program have National Information Assurance Partnership-validated components, satisfy U.S. and collaborative Protection Profile requirements, and are validated against international Common Criteria.
Agencies also will be able to potentially save costs by quickly deploying scalable, commercial products that are priced based on market competition. The solutions all use open, nonproprietary interoperability and security standards, and mitigations applied based on NIST 800-30. Agencies that use CSfC products will have “situational awareness about which components are used and where,” and there is documented incident handling procedures.
By leveraging commercial technology, CSfC enables agencies to “access mission data and aid decision-making in real time, inside the adversaries’ decision cycle,” the NSA argues.
The U.S. Southern Command says that the program greatly improved its ability “to field both enduring and episodic mission partner environments with our partner nations,” according to an NSA fact sheet. The command says it will save $2.6 million across a five-year development plan to repurpose $1 million of Type 1 devices. Meanwhile, the Air Force Research Laboratory says the program will minimize the cost and complexity of the Secret Internet Protocol Router Network deployments, streamline operations and maintenance costs and enhance security. “CSfC provides the USAF with the best solution to meet classified network access requirements … especially with today’s budgetary constraints,” the lab says, according to the NSA.
By offering commercial solutions that allow agencies to virtually connect to numerous secure networks, the CfSC program can greatly reduce an agency’s hardware footprint, collapse their physical environment and save costs. That arrangement also allows analysts to do their jobs more efficiently.
CDW•G is an NSA Trusted Integrator that works with the CSfC program, and its Capability Packages are available for VPNs, wireless LAN, data at rest and mobile access.
For agencies that need to protect classified data and networks but don’t want to have their network security solutions be a generation behind where they should be, the CSfC program is an invaluable tool.