As part of its Commercial Solutions for Classified (CSfC) program, NSA offers several Capability Packages as a starting point for users to reference when implementing their own solutions. Think of them as pre-approved "blueprints" for architecting a CSfC solution, or a solution that needs to be used in a National Security System.
The products, or components, which are used in the Capability Packages and, ultimately, to build CSfC solutions, must be selected off the NSA CSfC Components List, and can be used to build a layered solution containing multiple components.
The products on the Components List have all been certified to meet the highest levels of security, by NSA's rigorous National Information Assurance Partnership (NIAP) certification along with Federal Information Processing Standards (FIPS), when applicable, meaning that they are built in accordance with the US Government's stringent cybersecurity requirements.
The CSfC Capability Packages (CPs) are reviewed, updated, and re-published by the NSA CSfC Program Management Office (CSfC PMO) for use on a regular basis.
-- Article Continues Below --
Everything you need to know when it comes to the CSfC process.
CPs are a part of the CSfC program that provides vendor-agnostic requirements for the implementation and configuration of a secure solution within a certain architectural area.
There are currently four CPs:
A VPN Client is software that is installed on endpoint devices allowing them to send encrypted data or traffic to and from a central network.
Read the full NIAP protection profile for VPN clients. You can also view the list of CSfC Certified IPsec VPN Clients on the CSfC website.
A VPN Gateway is used to send encrypted data or traffic between two remote devices or networks.
Read the full NIAP protection profile for VPN clients. You can also view the list of CSfC Certified IPsec VPN Gateways on the CSfC website.
MACSEC ethernet encryption devices allow for Ethernet data or traffic to be securely transmitted between two ethernet-connected endpoints.
Read the full NIAP protection profile for MACSEC encryption devices. You can also view the list of CSfC Certified MACSEC Ethernet Encryption Devices on the CSfC website.
Mobile Device Management (MDM) systems are used to control the administration and access of third-party mobile devices like smartphones, tablets, and laptops.
Read the full NIAP protection profile for MDMs. You can also view the list of CSfC Certified MDMs on the CSfC website.
Session border controllers are used to protect VoIP-based communication and data between endpoint devices or networks.
Read the full NIAP protection profile for session border controllers. You can also view the list of CSfC Certified Session Border Controllers on the CSfC website.
Enterprise session controllers are simply session border controllers packaged as part of a larger scale unified communications or contact center solution.
Read the full NIAP protection profile for enterprise session controllers. You can also view the list of CSfC Certified Enterprise Session Controllers on the CSfC website.
Software disk encryption solutions use software methods instead of hardware-based methods for full hard disk encryption and data protection.
Read the full NIAP protection profile for software disk encryption solutions. You can also view the list of CSfC Certified Software Full Drive Encryption Solutions on the CSfC website.
TLS protected servers use Transportation Layer Security (TLS) protocol to secure all communications to and from the server.
Read the full NIAP protection profile for TLS protected servers. You can also view the list of CSfC Certified TLS Protected Servers on the CSfC website.
TLS software applications use Transportation Layer Security (TLS) protocol to secure all communications to and from the application.
Read the full NIAP protection profile for TLS protected applications. You can also view the list of CSfC Certified TLS Software Applications on the CSfC website.
Traffic filtering firewalls are firewalls that allow you to filter out very specific types of traffic
.
Read the full NIAP protection profile for traffic filtering firewalls. You can also view the list of CSfC Certified Traffic Filtering Firewalls on the CSfC website.
VoIP applications are meant to control and direct VoIP traffic.
Read the full NIAP protection profile for VoIP applications. You can also view the list of CSfC Certified VoIP Applications on the CSfC website.
Web browsers are installed on end-user devices and used to connect and browse the internet.
Read the full NIAP protection profile for VoIP applications. You can also view the list of CSfC Certified Web Browsers on the CSfC website.
WLAN access systems control the access of users to a WLAN network .
Read the full NIAP protection profile for WLAN access systems. You can also view the list of CSfC Certified WLAN Access Systems on the CSfC website.
WLAN clients are installed on end-user devices that need access to the WLAN network .
Read the full NIAP protection profile for WLAN Clients. You can also view the list of CSfC Certified WLAN Clients on the CSfC website.
It can take anywhere from 6 to 7 months for new Protection Profiles to be built and released.
Creating and releasing a new profile is approached in four phases, with the entire process totaling between 4 and 5 months to complete:
As of this writing, the current protection profiles under development include:
As updates happen, products on the CSfC Component List may lose their certification. Vendors also may choose not to renew certifications when their renewal period expires. For this reason, CSfC maintains an Archived Components List .
If you have a solution that includes any component that is moved to the Archived Component List, you'll have two years to transition from that component to a new solution that is currently approved.
If you’re daunted by the very prospect of navigating the CSfC Components List, NSA also provides a list of Trusted Integrators - third-party contractors who have met a strict set of criteria. These organizations can help you navigate the CSfC process, offering their assistance and technical expertise along the way.
Trusted Integrators have strong relationships both with the clients they serve and a deep understanding of many components on the CSfC Approved Component List. All trusted integrators are individually vetted by the CSfC PMO prior to inclusion on the list. While it is not required to use a CSfC Trusted Integrator to build your solution, it is highly encouraged by CSfC and will improve your chances of getting a solution registered quickly.
Some of the requirements that Trusted Integrators must meet in order to be included on the list are:
The CSfC Component List is growing and changing constantly, and building a CSfC solution is just the beginning. Keep in mind that you will need to regularly review and refresh your approved solution as technology improves or changes.