What are the business solutions for classifieds?
The CSfC program, which took off in 2016, certifies commercial network solutions that agencies can use to create secure and encrypted networks. The program is designed to allow commercial products to be used in layered solutions protecting classified data from National Security Systems (NSS).
The goal, according to the NSA, is to give agencies “the ability to communicate securely based on business standards in a solution that can be implemented in months, not years.”
According to an NSA FAQ on the program, CSfC “leverages industry innovation to deliver solutions efficiently and securely” and is based on the principle that “properly configured and layered solutions can provide protection. adequate data classified in a variety of different applications ”.
NSA / Central Security Service The policy requires that CSfC be the first option agencies should consider to meet a cybersecurity requirement.
Typical clients of the CSfC are NSS stakeholders, including DOD agencies, intelligence agencies, branches of military service, and other federal agencies that use classified networks. These agencies use “business solutions based on CSfC (CP) capability packages to rapidly implement cybersecurity solutions to meet their mission objectives”.
What are CSfC (CP) Capacity Packages?
The NSA said it has developed a set of “capability packages” to give agencies “easy access to the information necessary to meet their operational requirements.”
Capability packages “contain neutral product information that will enable customers / integrators to successfully implement their own solutions.”
Using the information in the CP, agencies and integrators they work with can “make product selections while following guidelines / restrictions to create an architecture with specific business products configured in a particular way.” .
“The CSfC capability packages will provide sufficient guidance to accreditors to make informed decisions about whether the solutions meet their mission and security requirements,” adds the NSA. “Each set of capabilities is associated with a classified risk assessment. “
The NSA offers many feature packages as part of the CSfC program, including a recently updated Mobile Access CP designed to “meet the demand for mobile data transit solutions using the suite of Commercial National Security algorithms (CNSA) with the National Information Assurance Partnership (NIAP) validated products to compose secure mobile solutions.
There are also CPs for campus wireless LAN, multisite connectivity, and data at rest.
RELATED: Discover more benefits of the CSfC program.
NSA CSfC Encryption Products Versus Type 1 Encryption Products
According to National risk management policy and framework for national security systems guide, an NSA Type 1 product is defined as “cryptographic equipment, assembly, or component” that has been “classified or certified by the NSA for the encryption and decryption of classified and sensitive national security information when they are entered correctly ”.
NSA Type 1 encryption products have been “developed using commercial processes established by the NSA and containing NSA approved algorithms” and are “used to protect systems requiring the strictest safeguards. “.
The CSfC does not replace Type 1 products, according to the NSA; it is simply an alternative. Capability packages “empower” agencies to deploy “secure solutions using commercial off-the-shelf independent and layered products from the CSfC component list. CSfC solutions can be used to protect classified data in various applications.
Based on the agency’s needs, the NSA says it will use the “right tool for the right job,” whether it’s CSfC, Type 1, or some other method.
“Quite often the right tool can include layering commercial products in accordance with CSfC requirements,” says the NSA. “The United States National Policy (CNSSP-15) ensures the protection of NSS (National Security Systems) and must use the solutions of the CNSA (Commercial National Security Algorithm) suite for the protection of information systems. “
TO EXPLORE: What are the implications of allowing remote access to classified data?
CSfC Component List: Explore the Benefits of CSfC Capacity Products
The NSA touts the many benefits of using CSfC. The first is that the program offers agencies a variety of vendor solutions. As FedTech reported:
NSA pre-checked list of components includes a range of tools necessary to support telecommuting, such as authentication servers from Aruba and Cisco; VMware Workspace ONE Mail client; end-user devices Motorola and Samsung; Transport Layer Security – protected servers Cisco, Palo Alto Networks and others; IP Security VPN Clients Cisco, Microsoft and Samsung; and Aruba and Cisco VPN gateways.
This pre-approved list means agencies can accelerate their deployment of classified network solutions. “With the approved list, components are more accessible and sourcing can be less difficult,” says Ziska.
In this sense, the NSA says the CSfC allows agencies to “keep pace with technological advancements and use the latest capabilities in their systems and networks.” Additionally, agencies can save costs through “market competition and rapidly deployable and scalable business products.”
CSfC is also standards-based and “leverages open, non-proprietary interoperability and security standards”.
The NSA says CSfC also assists with surveillance and provides agencies with “situational awareness of component use and location, as well as documented incident management procedures.”
The program also leverages the technical expertise of the NSA, including its “world-class team of system engineers, threat analysts and cyber experts.” Most importantly, CSfC is an end-to-end program, providing “NSA-designed and approved solutions, leveraging a group of trusted and trusted system integrators.”
MORE FROM FEDTECH: Find out why agencies need to take a new approach to data security in 2021.
How to work with a trusted CSfC integrator
CSfC Trusted Integrators are companies that help agencies implement chosen capability packages.
“Trusted integrators specialize in bundling CSfC components according to CSfC CPs to ensure secure and appropriate solution functionality,” according to the NSA. The agency strongly recommends that government clients using the CSfC program work with a trusted integrator, although this is not mandatory.
CDW • G is a trusted integrator, and its feature packages are available for VPNs, wireless LAN, data at rest, and mobile access.
Agencies working with trusted integrators should be aware of the rules that integrators must follow, including security clearance requirements.
“The permissions for at least one team member must be at least equivalent to the level of data to be processed by the solution,” the NSA says. “The integrator’s staff responsible for integration, testing, maintenance, and security incident response must have permissions to receive risk assessments and adequately address vulnerabilities. “
Although trusted integrators are not required to have a secure installation, the integrator “must have access to a secure installation to receive classified risk assessments and test classified vulnerabilities, if necessary,” and this permission from installation must be “equivalent to the level of data to be processed by the solution.”