Jan 20 2023

How the NSA’s Commercial Solutions for Classified Program Continues to Evolve

The program is expanding its scope and capabilities, offering defense and intelligence agencies more flexibility and security.

Since the mid-2010s, the National Security Agency has offered its Commercial Solutions for Classified (CSfC) program, allowing defense and intelligence agencies to securely use commercial tools to support their missions.

The program certifies commercial network solutions that agencies can use to create secure, encrypted networks. It’s designed to enable commercial products for use in layered solutions protecting classified National Security Systems data.

However, in the past 12 to 18 months, the program has evolved significantly, and more changes are expected. CSfC is now more modular and flexible, offering agencies greater capabilities and support for more than just traditional on-premises operations.

Agencies that use CSfC no longer need to be tied to legacy data centers, and the program is now supporting hybrid or even fully cloud-based capabilities for the Defense Department, military branches and intelligence agencies. Thanks to enhanced partnership between the NSA and its Trusted Integrators, the program has been moving to streamline the registration, authorization and accreditation process and develop new technologies for agencies to use.

The result is that CSfC offers support for more devices in more settings, and is in a position to enable a wider range of encrypted communications, than ever before.

Click the banner below to receive curated content by becoming an Insider.

How the NSA’s CSfC Program Is Changing

While the CSfC program has long focused on enhancing agencies’ cybersecurity and providing strong protections for data at rest, it has recently expanded its capabilities. The program is now also helping DOD and intelligence agencies start to move away from on-premises solutions to support more mobile and wireless use cases, data at rest for remote locations, hybrid cloud and cloud-based operations.

The NSA has begun to allow a wider range of mobile device makers and a larger range of multidomain operations. This includes vendors that are making the technology and agencies such as the Defense Advanced Research Projects Agency and the Defense Intelligence Agency, as well as the military branches.

A key component of this is increased support for multidomain operations with cross-tenant utilization. What that means is that the program is starting to federate capabilities so that different departments within DOD, for example, can securely communicate with each other on Microsoft Teams. This is important from a cybersecurity perspective because the more siloed these applications are, the longer it takes to resolve potential threats or attacks.

The military branches are moving to adopt the DOD’s Joint All-Domain Command and Control (JADC2) initiative. The initiative seeks to integrate data from sensors, electronic weapons, cyberspace and more across every domain — land, air, sea, space and cyber — so that commanders and civilian leaders can make more informed decisions.

The Air Force recently awarded 92 companies spots for a potential 10-year, $900 million contract on multidomain operations research and development. The Army and Navy are working on similar efforts. The goal, which CSfC is supporting, is to use commercial technologies to provide secure telework, as was the case earlier in the COVID-19 pandemic. It also seeks to securely transport data from location to location, from the ground to assets in the air, or from the air down to a submarine.

DISCOVER: How SD-WAN can help agencies expand their network reach.

Security Policy Is Catching Up to Technology Shifts

In all of these shifts, technology is no longer the limiting factor, but policy remains a barrier. Agencies within the DOD and intelligence community are starting to focus on how to evolve their policies to facilitate easier adoption of these technologies.

The policy changes are driven collaboratively by the NSA and its Trusted Integrators, of which CDW•G is one, as well as the DOD. The goal is to streamline technology adoption and guide how vendors develop new technologies.

That will allow agencies to come to the commercial market and better explain how their software or hardware encryption technologies need to be modified to meet their needs. It also allows industry to push agencies to be more transparent, collaborative and speedy in the approval process; there is now more of a partnership between agencies and industry.

The result is that CSfC products can be more easily deployed to personnel on bases in the form of laptops and smartphones, as well as in fighter jets and on submarines.

The CSfC program’s value is growing as the DOD looks to modernize its legacy technology, enable multidomain operations, and untether users from their desktops, data centers and on-premises solutions, all while maintaining zero-trust compliance. The end result is that agencies can now collaborate faster and more closely with industry to develop and deploy secure solutions for a highly skilled and highly distributed workforce.

This article is part of FedTech’s CapITal blog series. Please join the discussion on Twitter by using the #FedIT hashtag.

CapITal blog logo

ipopba/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT