What is CSfC: How CSfC Components Can Enhance Network Security
What are the business solutions for classified ads?
The CSfC program, which started in 2016, certifies commercial network solutions that agencies can use to create secure, encrypted networks. The program is designed to enable the use of commercial products in layered solutions protecting classified National Security System (NSS) data.
The goal, according to the NSA, is to give agencies “the ability to communicate securely based on commercial standards in a solution that can go live in months, not years.”
According to an NSA FAQ on the program, CSfC “leverages industry innovation to deliver effective and secure solutions” and is based on the principle that “properly configured and layered solutions can provide protection adequate use of classified data in a variety of different applications”.
NSA/Central Security Service policy identifies CSfC as the first option agencies should consider when meeting a cybersecurity requirement.
Typical CSfC customers are NSS stakeholders, including DOD agencies, intelligence agencies, military service branches, and other federal agencies that use classified networks. These agencies use “commercial solutions based on CSfC Capability Packages (CPs) to rapidly implement cybersecurity solutions to meet their mission objectives.”
What are CSfC capability packages (CPs)?
The NSA says it has developed a set of “capabilities packages” to give agencies “immediate access to the information needed to meet their operational needs.”
Capability packages “contain product-independent information that will enable customers/integrators to successfully implement their own solutions.”
Using the information in the CP, agencies and the integrators they work with can “make product selections while following the guidelines/restrictions to build an architecture with specific commercial products configured in a particular way” .
“The CSfC capability sets will provide enough guidance to accreditation bodies to make informed decisions about whether the solutions meet their mission and security requirements,” the NSA adds. “Each capability set is associated with a classified risk rating.”
The NSA offers numerous capability packages under the CSfC program, including a recently updated Mobile Access CP designed to “meet demand for mobile data-in-transit solutions using the suite of security algorithms National Commercial (CNSA) with National Information Assurance Partnership (NIAP) validated products to compose secure mobile solutions.
There are also CPs for campus wireless LAN, multisite connectivity, and data at rest.
RELATED: Discover more benefits of the CSfC program.
NSA CSfC versus Type 1 encryption products
According to the National Risk Management Policy and Framework for National Security Systems, an NSA Type 1 product is defined as “cryptographic equipment, assembly, or component” that has been “classified or certified by the NSA for encryption and decryption of information classified and sensitive on national security”. when properly locked.
NSA Type 1 encryption products have been “developed using commercial processes established by the NSA and containing NSA-approved algorithms” and are “used to protect systems requiring the most stringent protection mechanisms”.
The CSfC is not a replacement for Type 1 products, according to the NSA; it is only an alternative. Capability packages “enable” agencies to deploy “secure solutions using off-the-shelf, independent, multi-layered commercial products from the CSfC component list. CSfC solutions can be used to protect classified data in a variety of applications.
Based on the agency’s needs, the NSA says it will use “the right tool for the right job,” whether it’s CSfC, Type 1, or another method.
“Very often, the right tool can include layered use of commercial products in accordance with CSfC requirements,” the NSA says. “The US National Policy (CNSSP-15) ensures the protection of NSS (National Security Systems) and must use CNSA (Commercial National Security Algorithm) Suite solutions for the protection of information systems.”
TO EXPLORE: What are the implications of enabling remote access to classified data?
List of CSfC components: Explore the benefits of CSfC capacity products
The NSA touts the many benefits of using CSfC. The first is that the program offers agencies a variety of vendor solutions. As FedTech reported:
The NSA’s pre-approved list of components includes a range of tools needed to support remote working, such as authentication servers from Aruba and Cisco; VMware Workspace ONE email client; end-user devices from Motorola and Samsung; Servers protected by Transport Layer Security from Cisco, Palo Alto Networks and others; IP security VPN clients from Cisco, Microsoft and Samsung; and Aruba and Cisco VPN gateways.
This pre-approved list means agencies can accelerate their deployment of classified network solutions. “With the approved list, components are more accessible and sourcing can be less difficult,” says Ziska.
In this sense, the NSA claims that the CSfC allows agencies to “keep pace with technological advancements and utilize the latest capabilities of their systems and networks.” Additionally, agencies can save costs through “market competition and rapidly deployable and scalable commercial products.”
CSfC is also standards-based and “builds on open, non-proprietary interoperability and security standards.”
The NSA says CSfC also assists in surveillance and provides agencies with “situational awareness of component usage and location, as well as documented incident handling procedures.”
The program also draws on the NSA’s technical expertise, including its “world-class team of systems engineers, threat analysts, and cybersecurity experts.” And, most importantly, CSfC is an end-to-end program, providing “NSA-designed and approved solutions, backed by a cadre of approved and trusted systems integrators.”
MORE FROM FEDTECH: Find out why agencies need to adopt a new approach to data security in 2021.
How to work with a trusted CSfC integrator
CSfC Trusted Integrators are companies that help agencies implement their chosen capability packages.
“Trusted integrators specialize in bundling CSfC components in accordance with CSfC PCs to ensure secure and proper solution functionality,” according to the NSA. The agency strongly recommends that government customers using the CSfC program work with a trusted integrator, although this is not required.
CDW•G is a trusted integrator and its feature packages are available for VPNs, Wireless LANs, Data at Rest, and Mobile Access.
Agencies working with trusted integrators should be aware of the rules integrators must follow, including security clearance requirements.
“Permissions for at least one team member must be at least equivalent to the level of data to be processed by the solution,” the NSA says. “The integrator’s personnel responsible for integration, testing, maintenance, and security incident response must hold clearances that allow them to receive risk assessments and appropriately remediate vulnerabilities.”
Although trusted integrators are not required to have a secure facility, the integrator “must have access to a secure facility to receive classified risk assessments and test classified vulnerabilities, if necessary”, and this permission to installation must be “equivalent to the level of data to be processed by the solution.