A New Jersey National Guardsman trains during a cybersecurity exercise. The CSfC program can help military branches buy commercial products for this kind of sensitive use. 

Sep 02 2021

A Guide to Commercial Solutions for Classified (CSfC) Capability Products

The National Security Agency’s CSfC program helps agencies use commercial tools to securely connect to classified networks.

The Defense Department has spent much of the past year building a solution known as DoD365 to give its users secure access to the tools they need to do their jobs remotely. However, this solution, DOD’s version of Microsoft 365, is for unclassified work.

Likewise, the National Geospatial-Intelligence Agency has found ways to enable remote work with unclassified data in secure cloud environments. The data that users work on can then be pushed back into a classified environment.

For defense and intelligence agencies that need to conduct their missions on classified networks, there really is only one way to do so securely using commercial tools: the National Security Agency’s Commercial Solutions for Classified Program.

“We are the only option for classified telework accommodation through commercial products,” NSA Deputy Director for CSfC David Ziska tells FedTech.

What Are Commercial Solutions for Classified?

The CSfC program, which got off the ground in 2016, certifies commercial network solutions that agencies can use to create secure, encrypted networks. The program is designed to enable commercial products for use in layered solutions protecting classified National Security Systems (NSS) data.

The goal, the NSA says, is to give agencies “the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not years.”

According to an NSA FAQ on the program, CSfC “leverages industry innovation to deliver solutions with efficiency and security” and is based on the principle that “properly configured and layered solutions can provide adequate protection of classified data in a variety of different applications.”

NSA/Central Security Service policy mandates CSfC as the first option agencies should consider to satisfy a cybersecurity requirement.

Typical CSfC clients are NSS stakeholders, including DOD agencies, intelligence agencies, military service branches and other federal agencies that use classified networks. These agencies use “commercial solutions based on CSfC Capability Packages (CPs) to quickly implement Cybersecurity solutions to satisfy their mission objectives.”

What Are CSfC Capability Packages (CP)? 

The NSA says it has developed a set of “capability packages” to give agencies “ready access to the information needed to satisfy their operational requirements.”

Capability packages “contain product-neutral information that will allow customers/integrators to successfully implement their own solutions.”

Using information in the CP, agencies and the integrators they work with can “make product selections while following the guidelines/restrictions to create an architecture with specific commercial products configured in a particular manner.”

“CSfC Capability Packages will provide sufficient guidance for accreditors to make informed decisions on whether solutions meet their mission and security requirements,” the NSA adds. “Each Capability Package has a classified Risk Assessment associated with it.”

NSA offers many capability packages as part of the CSfC program, including a recently updated mobile access CP designed to “meet the demand for mobile data in transit solutions using the Commercial National Security Algorithm (CNSA) Suite with National Information Assurance Partnership (NIAP) validated products to compose secure mobile solutions.”

There are also CPs for campus wireless local area network, multisite connectivity and data at rest.

RELATED: Explore more of the benefits of the CSfC program.

NSA CSfC vs. Type 1 Encryption Products 

According to the National Risk Management Policy and Framework for National Security Systems guide, an NSA Type 1 product is defined as “cryptographic equipment, assembly or component” that has been “classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed.”

NSA Type 1 encryption products have been “developed using established NSA business processes and containing NSA approved algorithms” and are “used to protect systems requiring the most stringent protection mechanisms.”

CSfC is not a replacement for Type 1 products, according to the NSA; it is merely an alternative. Capability packages “empower” agencies to deploy “secure solutions using independent, layered Commercial Off-the-Shelf products from the CSfC Components List. CSfC solutions can be used to protect classified data in a variety of applications.”

Based on the agency’s needs, the NSA says it will use the “correct tool for the right job,” whether that is CSfC, Type 1 or some other method.

“Very often, the right tool can include the layered use of the commercial products in accordance with CSfC requirements,” the NSA states. “U.S. national (CNSSP-15) policy provides the protection of NSS (National Security Systems), and shall utilize CNSA (Commercial National Security Algorithm) suite solutions for protection of information systems.”

EXPLORE: What are the implications of enabling remote access to classified data?

CSfC Components List: Exploring the Benefits of CSfC Capability Products

The NSA touts many benefits of using CSfC. One is that the program provides agencies with a variety of solutions from vendors. As FedTech reported: 

NSA’s pre-vetted list of components includes a range of tools needed to s­upport telework, such as authentication servers from Aruba and Cisco; VMware’s Workspace ONE email client; end-user devices from Motorola and Samsung; Transport Layer ­­Security–protected servers from Cisco, Palo Alto Networks and others; IP Security VPN clients from Cisco, Microsoft and Samsung; and Aruba and Cisco VPN gateways.

That preapproved list means that agencies can accelerate their deployment of classified networking solutions. “With the approved list, the components are more accessible, and procurement can be less of a challenge,” Ziska says.

Along those lines, the NSA says CSfC enables agencies to “keep pace with technological progress and employs the latest capabilities in their systems and networks.” Further, agencies can save on costs via “marketplace competition and rapidly deployable, scalable commercial products.”

CSfC is also standards-based and “leverages open, non-proprietary interoperability and security standards.”

The NSA says CSfC also helps with monitoring and provides agencies with “situational awareness about components use and location, as well as documented incident handling procedures.”

The program also leverages NSA’s technical expertise, including its “world-class team of system engineers, threat analysts, and cyber experts.” And, importantly, CSfC is an end-to-end program, providing “NSA designed and approved solutions, leveraging a cadre of vetted, trusted system integrators.”

MORE FROM FEDTECH: Learn why agencies need to take a new approach to data security in 2021.

How to Work with a CSfC Trusted Integrator

CSfC Trusted Integrators are companies that help agencies implement their chosen capability packages.

“Trusted Integrators specialize in bringing together CSfC components in accordance with the CSfC CPs to ensure secure and proper solution functionality,” according to the NSA. The agency strongly recommends that government customers using the CSfC program work with a Trusted Integrator, though it is not required.

CDW•G is a Trusted Integrator, and its capability packages are available for VPNs, wireless LAN, data at rest and mobile access.

Agencies working with Trusted Integrators should be aware of the rules that integrators need to follow, including security clearance requirements.

“Clearances for at least one team member shall be at least equivalent to the level of data to be processed by the solution,” the NSA states. “Integrator personnel responsible for integrating, testing, maintaining and responding to security incidents shall hold clearances that enable them to receive risk assessments and adequately address vulnerabilities.”

While Trusted Integrators are not required to have a secure facility, the integrator “must have access to a secure facility to receive classified risk assessments and test for classified vulnerabilities, if needed,” and that facility clearance must be “equivalent to the level of data to be processed by the solution.”

Chief Warrant Officer 3 Wade Gettle Jr./New Jersey National Guard