1. Focus on the Mission
When considering uses for CSfC, your evaluation should be mission-focused, says Andrew Stewart, national security and government senior strategist for cybersecurity at Cisco.
“Maybe you suddenly need to enable more remote workers and do so securely,” Stewart says. “Maybe you need to pull in people at different classification levels to share across and manage a network that handles multiple classifications.”
Mobility might be a consideration or else wired and wireless solutions, he adds.
All of these factors shape how an agency will leverage CSfC.
2. Look at Capabilities Versus Components
NSA offers CSfC capability packages, detailed descriptions and solution-level specifications that are vendor agnostic and provide high-level security and configuration guidance. It also has a components list that details specific products such as IPSec VPN gateways, IPSec VPN clients, wireless LAN clients and WLAN access systems.
“It’s more important to choose the capability package first,” says Jon Green, chief security officer for HPE Aruba Networks. “The use case of what you’re trying to get done is largely going to drive you toward the correct capability package.”
Once that’s done, it’s a matter of selecting the right components, leaning on trusted integrators to help navigate the complexity of assembling a system, Green adds.
Vetting integrators is a step that agencies often overlook, but it’s worth the effort since not all of them cater to the CSfC program.
“When looking for an integrator, ask some hard questions,” Green says. “They should be able to tell you that they’ve deployed these solutions, that they’ve worked with certain vendors and that they have people who are trained on this set of vendors.”
3. Seek Out Vendors with the Right Expertise
It’s important to understand the fundamentals of what CSfC has to offer, then drill deeper.
For example, under its data capabilities package, CSfC certifies the use of two different NetApp encryption modules on the same platform to protect information. But the Department of Defense has its own network regulations for provisioning and managing the box, called secure technical implementation guides.
While CSfC validates that the system itself is secure based on the capabilities description, agencies may have additional requirements.
“You need to look for vendors that have additional certifications that are applicable for the environment, for example around data encryption, if you also have Federal Information Processing Standards and Federal Information Security Modernization Act compliance requirements in federal government agencies,” Kern says.
4. Look Beyond Defense and Intel
CSfC can benefit agencies beyond DOD and the intelligence community, particularly those in financial, health and energy realms that need information assurance.
“We’ve assisted customers applying this sort of methodology to protect law enforcement data, for example, and other kinds of information,” Stewart says.
In fact, CSfC can support any agency with classified use cases where the existing technology may not be a fit for everything needed.
“Mobility is often the driver for that: people who may not be inside your buildings, or may be inside another secure facility, but still need access to data,” Green says. “It’s not necessarily just military and intelligence; the Department of the Treasury has those use cases, as do the State Department and the Department of Energy.”