Aug 09 2023

6 Ways to Make the Most of Commercial Solutions for Classified

The CSfC program gives agencies opportunities for more flexible security than ever before.

The National Security Agency’s Commercial Solutions for Classified program offers defense, national security and other federal agencies a ready means to access commercial products while still protecting classified information and systems.

CSfC validates the security of commercial platforms, streamlining the laborious federal process of issuing an authority to operate (ATO).

What results is a big opportunity for more flexible security at agencies.

“They can work with a vendor that’s made the commitment to meet all those certification standards that are required for these classified programs,” says Kirk Kern, CTO for the Americas at NetApp. “It gives them the confidence to deploy the technologies more quickly, with greater protection against risks.”

Here are six ways to best take advantage of CSfC offerings.

Click the banner below to learn about the benefits of hybrid cloud environments.

1. Focus on the Mission

When considering uses for CSfC, your evaluation should be mission-focused, says Andrew Stewart, national security and government senior strategist for cybersecurity at Cisco.

“Maybe you suddenly need to enable more remote workers and do so securely,” Stewart says. “Maybe you need to pull in people at different classification levels to share across and manage a network that handles multiple classifications.”

Mobility might be a consideration or else wired and wireless solutions, he adds.

All of these factors shape how an agency will leverage CSfC.

2. Look at Capabilities Versus Components

NSA offers CSfC capability packages, detailed descriptions and solution-level specifications that are vendor agnostic and provide high-level security and configuration guidance. It also has a components list that details specific products such as IPSec VPN gateways, IPSec VPN clients, wireless LAN clients and WLAN access systems.

“It’s more important to choose the capability package first,” says Jon Green, chief security officer for HPE Aruba Networks. “The use case of what you’re trying to get done is largely going to drive you toward the correct capability package.”

Once that’s done, it’s a matter of selecting the right components, leaning on trusted integrators to help navigate the complexity of assembling a system, Green adds.

Vetting integrators is a step that agencies often overlook, but it’s worth the effort since not all of them cater to the CSfC program.

“When looking for an integrator, ask some hard questions,” Green says. “They should be able to tell you that they’ve deployed these solutions, that they’ve worked with certain vendors and that they have people who are trained on this set of vendors.”

LEARN MORE: How data center solutions rise to new challenges.

3. Seek Out Vendors with the Right Expertise

It’s important to understand the fundamentals of what CSfC has to offer, then drill deeper.

For example, under its data capabilities package, CSfC certifies the use of two different NetApp encryption modules on the same platform to protect information. But the Department of Defense has its own network regulations for provisioning and managing the box, called secure technical implementation guides.

While CSfC validates that the system itself is secure based on the capabilities description, agencies may have additional requirements.

“You need to look for vendors that have additional certifications that are applicable for the environment, for example around data encryption, if you also have Federal Information Processing Standards and Federal Information Security Modernization Act compliance requirements in federal government agencies,” Kern says.

4. Look Beyond Defense and Intel

CSfC can benefit agencies beyond DOD and the intelligence community, particularly those in financial, health and energy realms that need information assurance.

“We’ve assisted customers applying this sort of methodology to protect law enforcement data, for example, and other kinds of information,” Stewart says.

In fact, CSfC can support any agency with classified use cases where the existing technology may not be a fit for everything needed.

“Mobility is often the driver for that: people who may not be inside your buildings, or may be inside another secure facility, but still need access to data,” Green says. “It’s not necessarily just military and intelligence; the Department of the Treasury has those use cases, as do the State Department and the Department of Energy.”

Andrew Stewart
Maybe you need to pull in people at different classification levels to share across and manage a network that handles multiple classifications.”

Andrew Stewart National Security and Government Senior Strategist for Cybersecurity, Cisco

5. Understand Vendors’ Role in the CSfC Process

Experienced vendors should have artifacts that agencies can use in developing the system security plan and submitting all the paperwork to receive an ATO, which is invaluable help, Kern says.

“CSfC doesn’t define every aspect of how you configure the systems and how you operate them,” he adds. “The vendors can help you to define how you securely operate the gear and protect the gear.”

6. Track the Emerging Capabilities List

NSA is keeping tabs on upcoming capabilities, and agencies also should be keeping an eye on that information.

“The National Information Assurance Partnership tracks all that, with a listing of what is in development,” Stewart says. “That’s important as you consider your forward-looking capabilities — looking at what you might need — especially if you are looking at either capacity or scale.”

Know what’s coming, and work with your technology provider to stay ahead of the curve, he adds.

Agencies can tell vendors what their capacity and product desires are and ask where they are in the testing process. That way, CSfC serves as a vehicle to future-proof their operations.

Lt. Michelle Tucker/U.S. Navy

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT