We have recently seen an increase in the number of clients who are asking about the National Security Agency’s (NSA) Commercial Solutions for Classified (CSfC) program and how to get on the CSfC Components List maintained by the NSA Information Assurance Directorate (IAD). It’s worth noting that this is a “products list” that is separate from the Department of Defense Information Network Approved Products List (DoDIN AL) and the National Information Assurance Partnership Product Compliant List (NIAP PCL).
What is CSfC?
The CNSSP (Committee on National Security Systems Policy) #11 establishes processes for acquisition of commercial and government Information Assurance (IA) or IA-enabled IT products to be used on National Security Systems (NSS). The CNSSP #11 specifically calls out a preference for purchasing:
“Layered COTS [commercial off-the-shelf] product solutions (e.g., selecting two or more IA and IA-enabled IT products) are preferred for use to protect information on NSS when these solutions are available and satisfy an organization’s requirements.”
The U.S. government is targeting the use of commercially available products for the national security systems and networks and they need assurances of the security of these products before they are deployed.
The goal of the CSfC Program is to reduce the amount of work each government purchaser needs to do in order to buy quality security solutions, and to maintain a level of assurance in those solutions. The CSfC Program maintains the CSfC Components List, which lists the commercial security products that have met the required IT security evaluation criteria. Additionally, the CSfC Program defines “Capability Packages,” which provide guidance on solution architecture to meet a specific security need, such as a secure VPN to tunnel classified information between two sites via the Internet. The Capability Package provides guidance to government purchasers and system integrators on how to select products from the CSfC Components List in order to compose the desired solution. The Capability Package also includes non-vendor-specific configuration requirements, testing requirements, guidance for using and maintaining the solution, and other pertinent information. Government purchasers and system integrators will be focused on using products that are on the CSfC Components List in order to build systems to meet the Capability Packages as defined by IAD. While they plan to add more, currently the CSfC Program has focused on and defined Capability Packages for these three specific areas:
- Multi-Site VPN – VPN architectures for securing data in transit between multiple enclaves.
- Campus WLAN – Wireless LAN securing data in transit between mobile users to the government enterprise.
- Mobility – Mobile solutions encompasses the five major categories of the mobile ecosystem components: Secure Voice, OS/Apps & Mobile Device, Mobile Transport (Carrier), Mobile Enterprise Infrastructure, and Interoperability.
How is CSfC driving product evaluation requirements?
There are several steps necessary to get a product listed on the CSfC Component List and those steps are pushing several vendors to seek product evaluation. With the goal of providing security assurance of these products, the products must complete a Common Criteria evaluation and a FIPS 140-2 evaluation as appropriate to the product. Product vendors then sign a Memorandum of Agreement (MOA) with the NSA. Be prepared, the MOA will likely dictate additional requirements for that product type. We encourage product vendors to ask for the MOA well before they have completed the security evaluations to make sure that the evaluated product will meet all the technical requirements. Products are placed on the CSfC Components List if the product has the required security evaluations and provides features that make it eligible to be part of one of the already defined Capability Package solutions.
If you are reading this blog post you likely already have some driver to achieve or have already achieved FIPS 140-2 or Common Criteria evaluation for your products. We encourage you to seek the most benefit from those product evaluations by making sure your products are also listed on both the DoD UC APL and the CSfC Components Lists.
A consultant can help you assess whether your products are eligible for the CSfC Components List and make the validation process more efficient and cost-effective overall. Contact Corsec to find out how we can help you with your next evaluation.