Ever-evolving, complex government and military applications that deal with large amounts of critical data need reliable, efficient technologies with enhanced security protections to ensure effective operation and thwart hacker intrusion.
In this blog, you’ll learn about what CSfC is, its primary benefits, and how it takes a layered approach to ensure full protection of data-at-rest (DAR) at the highest level.
What is CSfC?
CSfC (Commercial Solutions for Classified) is the NSA’s (National Security Agency) strategy to deliver cybersecurity solutions–also known in this case as Information Assurance (IA)–securely, efficiently, and quickly for classified applications.
CSfC is founded on the principle that properly configured, layered solutions can provide adequate protection of sensitive and classified information across a variety of different applications. (More on that later.)
NSA policy requires that CSfC is the first option to be considered to satisfy any IA requirement.
Why is CSfC needed?
Government customers are increasingly requiring immediate use of the most modern commercial hardware and software technologies available within the National Security Systems (NSS) in order to achieve mission objectives.
In response to these demands, the NSA is developing new ways to use existing technologies to deliver more timely IA solutions for rapidly evolving customer requirements.
Additionally, data-at-rest (DAR) can be threatened from four different vectors, both internal and external. In deployed DAR applications like planes or unmanned vehicles, data can be lost during a mission or even during transport from the deployed vehicle back and forth to the ground station.
But even when mission data has been safely downloaded and stored on a network, it is still at risk to relentless hackers from the outside as well as unknown internal bad actors with malicious agendas, prompting the need for layered defense.
Source: Daily Maverick. Even when mission data has been safely downloaded and stored on a network, it is still at risk to relentless hackers from the outside as well as unknown internal bad actors with malicious agendas, prompting the need for layered defense.
Who are CSfC’s main clients?
Typical CSfC clients include NSS stakeholders, the Department of Defense (DoD), the Intelligence Community (IC), military services, and other government agencies. All of these entities use commercial solutions based on the CSfC Capability Packages (CPs) to quickly implement IA solutions to satisfy mission objectives.
What are the primary features and benefits of CSfC?
With CSfC, customers can implement data security measures due to NSA investment in the research and application of commercial technologies.
Here are some major benefits of CSfC:
- End-to-end solutions: CSfC provides NSA-designed/approved solutions, leveraging a number of vetted, trusted system integrators.
- Flexibility and transparency: CSfC leverages NIAP-validated components, satisfying US and Collaborative Protection Profile requirements, validated against International Common Criteria.
- Cost-effectiveness and efficiency: CSfC allows clients to keep pace with technological progress and employs the latest capabilities in their systems and networks, while reducing the time it takes to build, evaluate, and deploy IA solutions by utilizing mature technologies already available to the commercial sector. Potential cost savings may be realized though marketplace competition and rapidly deployable, scalable products.
- Standards-based: CSfC solutions leverage open, non-proprietary interoperability and security standards.
- Monitoring and response: CSfC provides situational awareness about components use and location as well as document incident handling procedures.
- Technical expertise: CSfC is driven by the NSA’s world-class team of system engineers, threat analysts, and cyber experts.
Source: Oceus Networks. With CSfC, customers can implement data security measures due to NSA investment in the research and application of commercial technologies.
What are the main components of a CSfC solution?
In order to pass as a CSfC solution, two layers of DAR encryption are required. When properly implemented, a single layer of DAR encryption from the Commercial National Security Algorithm (CNSA) Suite is enough to protect critical data, but two layers are used to mitigate risks if one of the layers fails.
Failures may result from accidental misconfiguration, operator error, or malicious exploitation of an implementation vulnerability, any of which can result in the exposure to classified DAR.
If one of the layers is compromised, the second layer can still provide the encryption to safeguard the classified data. If both layers are compromised or simultaneously fail, then it is possible that the classified data will be easily accessible by hackers.
The use of multiple layers, then, implemented with components meeting the CSfC vendor diversity requirements, reduces the likelihood that a single vulnerability can be exploited to reveal protected information. With multiple layers, the possibility of both failing at the same time is reduced, and an adversary must beat both layers to gain access to information.
Now, of course, given enough time, any encryption measure can be defeated, but with two layers, that becomes more difficult.
What is the client’s role in CSfC?
CSfC allows clients to use COTS products and to tailor their solution to meet their technical, performance, and environmental specifications. To support this, the NSA has developed, approved, and published Capability Packages (CPs).
If a client needs information or assistance in seeing whether an approved CP meets their needs, they may engage the NSA through their desired NSA client advocates and the NSA Client Contact Center.
Clients are required to register all CSfC solutions operating on NSS or protecting NSS information to include submitting the appropriate compliance checklist, registration form, and network diagrams.
Though not mandatory, CSfC strongly encourages working with a trusted integrator while designing, building, and testing a CSfC-complaint solution based upon one or more of the published CPs.
Clients are responsible for obtaining certification and accreditation of the client implementation of a CP under their organization’s established accreditation and approval process.
Security requirements and assurance features of CSfC
Any physical security requirements are listed in the corresponding CSfC CP or in the relevant Protection Profile (PP). These requirements may include, but are not limited to, anti-tamper, tempest, authentication, and display the far-end identity.
Multiple levels of assurance are incorporated into every CSfC solution, from initial design through the product’s lifecycle.
Though assurance features are customized with individual implementations, here are some that are typically included:
- Product diversity using layered solutions for commercial components
- Component selection from the approved CSfC Components List, ensuring components have satisfied specific requirements to include successful evaluation by a Common Criteria Testing Lab and compliance with the applicable public standards and protocols as specified in the LPs and CSfC CPs
- Risk models and risk assessments for CSfC prototypes and CPs
- Analysis of standards, protocols, and algorithms used in a particular solution or prototype
- Vulnerability analysis of appropriate products and solutions, as well as follow-on National Manager Risk Notifications and mitigation guidance, if needed
- Established security incident response process
- Security testing of CPs that will provide sufficient guidance for accreditors to make informed decisions as well as an independent senior review of CPs to provide high-level security and configuration guidance
CSfC vs Protected Distribution Systems (PDSs)
Some have argued that CSfC could replace Protected Distribution Systems (PDSs). PDSs are wire line or fiber optic cable systems that transmit unencrypted information through an area with little to no security.
However, PDSs are more logistically intensive as compared to modern technologies and architectures. But of course, individual requirements and solutions vary, so a policy justification and cost analysis would need to be conducted to truly see whether PDSs are the right solutions.
CSfC, COTS, and GOTS
CSfC programs enable customers to securely communicate using an increasingly diverse set of commercial products, providing a secure alternative for government-off-the-shelf (GOTS) IA solutions.
GOTS is hardware and software that is created by and exclusively for the government. This is in contrast to commerical-off-the-shelf (COTS), which is hardware and software that is created for public, commercial purposes, but it can also be sold to the government. (Again, more on that later.)
The NSA’s strategy for protecting classified information continues to employ both COTS and GOTS solutions; however, NSA will first look to commercial technology and solutions in helping clients meet their data security needs.
While the greater NSA continues to support clients with existing GOTS solutions or with needs that can only be met via GOTS, CSfC is focused on COTS IA solutions, leveraging commercial products in properly configured, layered solutions to provide maximum data-at-rest protection.
Source: Archon. CSfC programs enable customers to securely communicate using an increasingly diverse set of commercial products, providing a secure alternative for government-off-the-shelf (GOTS) IA solutions.
CSfC and Trenton Systems
When dealing with government and military applications, data security must be a top priority to thwart increasingly sophisticated cyberattacks from all sources.
Threats now not only come from the outside, but from those with nefarious intent inside an organization, too. And if one layer of security fails, other layers must act as a backup to prevent the manipulation, theft, and/or deletion of data-at-rest.
Additionally, any solutions must utilize the latest technologies to meet the demands of government customers, optimize performance, and provide a seamless experience.
Trenton’s USA-made, CSfC-adherent, high-performance computers, both in rack mount and small form factor, are designed with maximum data protection at top of mind to consistently provide our customers with secure, high-quality solutions.
We guard sensitive and classified information at the highest level across the hardware, firmware, software, and network stack with advanced, multi-layer cybersecurity.
We help our customers navigate supply chain constraints with a tight grip on the production process, including BIOS control/customization, supplier quality surveys, and counterfeit parts protection.
And for over 30 years, Trenton has furthered its commitment to enhanced data security through close partnerships with Intel® and NVIDIA®, providing the commercial, military, and industrial sectors with critical, next-gen computing solutions to operate with confidence across the modern technological landscape.
Want to learn more? Get in touch to see if we can help you craft a customized, CSfC-adherent solution today. Team Trenton is at your service. 😎