Archon Secure Blog

CSfC Mobile Access Capability Package Architecture Examples

Written by Archon Secure Team | Apr 6, 2022 8:54:55 PM

The Mobile Access Capability Package (MACP) was developed as part of the Commercial Solutions for Classified (CSfC) Program to address mobile and on-the-move requirements. It is specifically designed to help those working to implement a solution that will protect classified data in transit across untrusted networks in a mobile environment.

The MACP provides high-level reference designs for solutions to provide mobile connectivity and corresponding configuration information that allows you to select parts from the Commercial Solutions for Classified Components List to build your solution.

 

But, often we find that this isn’t enough for government users or DIB contractors to envision a way their own architecture might work, or how they might build a commercial solution to fit their unique needs.

 

As such, we’ve started building a library of example use cases, which we will continue updating and improving over time, to help give you a better foundation for building your own CSfC approved deployment for mobile access (MA).

 

Some common use cases for the CSfC Mobile Access Capability Package (CP) include:

  • Field team communications for law enforcement agencies
  • Mobile campus communications for government agencies or DIB contractors
  • Military communications kits
  • Tactical military communications

 

🔎 Related Articles: Your Complete Guide to Building an NSA CSfC Approved Solution.

 

Baseline CSfC solution security architecture requirements

All MA solutions must support transit across “black networks.” You can read more about the security requirements for red, gray and black networks in our detailed article about the MACP.

To achieve this, all CSfC approved solutions must use a double encryption tunnel to protect sensitive information between the mobile devices accessing the network and the centralized network itself, or a national security system.

 

Field team communications for law enforcement agencies

One common use case for CSfC is for field communications. Sending agents or operatives into the field with minimal equipment, which is acceptable if left-behind or lost, is an incredibly important benefit of going with commercial rather than NSA Type 1 encryption equipment.

 

This is especially attractive when you need the flexibility and security to communicate across a variety of networks like cellular, Wi-Fi or satellite networks. NSA Type 1 equipment limits you significantly in this regard.

Typically in this situation, you’ll have a temporary mobile secure operations center (SOC) or command post where your centralized team will work for the duration of the mission. 

 

Communications from the temporary SOC back to physical headquarters must be secure.

 

In addition, you’ll have operatives who need to go out in the field and communicate securely back with the command post on an ad-hoc basis.

 

Architecture example: temporary SOC and field communications

Below is a sample architecture we built when working with these requirements with a client who needed to protect Secret level data in the past. Each individual project will have its own unique needs, but the sample below may be close to what you need if you find yourself in a similar situation.

 

In this instance, the command post was set up with our GoSilent Cube hardware VPN. All devices within the command post connected with the GoSilent over Wi-Fi and communicated any information through the outer tunnel created by the hardware VPN.

 

Each of the field operatives was provided with a tablet connected to a GoSilent Cube hardware VPN, a retransmission device and a battery pack. Each tablet was pre-loaded with a software VPN to support the inner tunnel of the double VPN tunnel, with the GoSilent Cube hardware VPN acting as the outer tunnel.

 

Additionally, each tablet used only a VDI client to access data and information stored on the centralized agency network, so as not to keep any sensitive or classified information on the device itself (in case of loss or theft).

 

This allowed the field operatives to carry a tablet in hand, and keep the remaining portable, light equipment in a small backpack to remain inconspicuous. This simple architecture maximizes flexibility for the client, allowing them to change or include additional end user devices, as well as execute MACP deployments for other use cases throughout the organization.

 

Mobile campus communications for government agencies or DIB contractors

Another common use case involves inner-campus mobile communications. We’ve seen this provide significant value on campuses which are very large and where staff frequently need to be mobile across the campus.

 

If your staff needs to access classified information anywhere they might go on the campus, particularly outdoors or away from their desks, this use case is especially interesting.

 

In this case, we have extended an existing Campus WLAN CP deployment to also support the MACP.

 

Architecture example: extending campus WLAN

In the instances that we’ve worked with clients on this particular architecture, it is typically to support the maintenance of equipment that spans a large physical space, like aircraft hangars.

 

All of the service manuals and information needed to execute maintenance is classified, so accessing it requires CSfC or NSA Type 1 protections. What we were seeing in practice is that staff would have to constantly go back and forth between the area where maintenance was happening (like an airplane hangar) and their desk to access classified documents.

 

This traveling wasted a significant amount of time and effort that staff could have put toward executing maintenance if they only had real time access to the documentation they needed where they needed it.

 

In this case, each technician can be outfitted with a government-issued tablet connected to a GoSilent Cube hardware VPN. Similar to the example above, the tablet is pre-loaded with a software VPN to act as the inner tunnel, and the hardware VPN acts as the outer tunnel.

 

With this architecture, technicians can now use tablets to connect wirelessly to classified networks, all while staying in the places they need to complete maintenance.  Technicians can send pictures, videos and file attachments, and also receive schematics and instructions from the engineering team. All types of information are transmitted directly and securely using tools for real-time diagnostic communication. 

 

Ultimately, a setup like this can result in higher productivity and reduced operating costs. 

 

DIB contractor or government remote work

Another use case that has seen a significant increase in popularity around COVID-19 is support for government remote work.

While this problem has been highlighted by the current pandemic, overall the need for staff to work remotely as part of a government agency or DIB contractor is nothing new. And, it certainly isn’t going away anytime soon.

 

Even before COVID hit, many bases, campuses or government buildings were beginning to reach capacity. In the past, this would mean expanding the base, or finding a new building. Instead, many agencies are now looking to remote work as a way to reduce the resource burden on a physical location.

 

We’ve worked with a number of clients to build a CSfC approved architecture for remote work. Below are examples of the two most common deployments we’ve seen.

 

Architecture example: hardware VPN + secure laptops

The most common method we’ve seen to allow for government remote work includes issuing government laptops outfitted with everything that is needed to keep them secure.

 

In this case, the government agency or DIB contractor will purchase devices, set up a software VPN for use in the inner encryption tunnel, and any other software that is needed for users to complete their jobs. 

 

Additionally, those devices will have to support dual data at rest encryption, in accordance with the CSfC Data at Rest (DAR) CP, to protect any data or information stored on the devices themselves in the event of loss or theft.

 

Staff are issued one of the laptops in addition to a GoSilent Cube hardware VPN to support the outer tunnel of dual tunnel encryption.

Now each staff member is primed and ready for work from anywhere, over any network, with secure access to their central network.

 

Architecture example: VDI + hardware VPN

This particular architecture shines when time is of the essence and resources are strained. In the above case, the amount of remote work that can be supported relies 100% on the ability to supply government-furnished devices to staff.

 

In certain cases, such as when a pandemic suddenly forces a large number of staff to shift to telework, this can be a big impediment. This particular solution came to light to support immediate COVID-19 response to government work.

 

The costs associated with having enough government-furnished devices ready for the entirety of your agency staff is not usually feasible.

 

More specifically, in this case, where remote work needed to be ramped up very quickly, and with little involvement from the central IT staff, this approach is not only impractical but completely impossible.

 

Even outside of the pandemic, this is a very attractive option for its ability to scale up and down easily, and as a method to keep all sensitive data off of end user devices.

 

 

In this case, we’ve advised clients on building out virtualized desktops for each user on their own centralized network. For this configuration, end users would be provided with a GoSilent Cube hardware VPN to connect to a government-issued device, as well as both a software VPN and a VDI client on their endpoint device. With these pieces in place, users connect their VDI client to their own unique virtual desktop on the central server and work begins.

 

You can learn more about how this particular architecture works in our in-depth article on combining a VDI and hardware VPN.

 

Military communications kits

Historically, NSA Type 1 encryption equipment has been the primary vehicle for building military communications equipment.

 

Recent years, however, have seen the growth in the use of CSfC solutions, which offers an alternative to NSA Type 1 encryption products for use in military communications.

 

Military communications kits are commonplace within the Department of Defense (DoD) and typically consist of on-demand, secure command and control network communications meant to keep key leaders connected via voice, video, email and data from anywhere in the world.

 

Communications kits generally need to support voice calls, built-in cellular and Wi-Fi transport options, a USB port for laptop or other device, and an integrated power supply. Some kits are designed and approved to send sensitive, unclassified information, whereas others may also need to transport classified data.

 

🔎 Related Articles: Your Ultimate Guide to Mobile Device Security

 

Architecture example: retrofitting NSA Type 1 encryption systems

Often we are approached by clients working to retrofit an existing NSA Type 1 communication kit to work with CSfC. Depending upon the components in the existing kit, this can sometimes be as simple as replacing a few simple components.

 

The most important requirements for any military communications kits are:

  • The ability to send and receive highly sensitive, classified communications via secure methods;
  • Due to the size of comms kits, it is important that the solution for securing transmission have a small form factor;
  • The ability to communicate in highly mobile situations;
  • Minimal set-up time, as these kits are often needed in immediate or emergency situations; and
  • The ability to send and receive communications in real-time.

 

In this particular case, we worked with the client to build a suitcase which had all of the equipment needed for their work combined with a CSfC Approved GoSilent Cube for secure transmission of that data.

 

Secure comms kits can contain built-in tech solutions such as:

  • Firewalls
  • VPNs
  • Laptops
  • Satellite link
  • 4G
  • Wi-Fi hotspot
  • Backhaul
  • Router

In this particular solution built for one of our clients, we were able to replace a few components to provide them with a solution ready for CSfC approval. By using a GoSilent hardware VPN for communication across the untrusted networks listed above, along with the existing equipment they built into the kit, the client was able to replace their old Type 1 equipment.

 

Tactical military communications

Another common CSfC use case in military communications is using CSfC components to increase security of existing tactical communication methods.

 

You will often see things like military radio communication systems or military tactical communications systems that need to be made more secure. This can be done quite easily just by adding an additional layer of encryption. 

 

Architecture example: retrofitting tactical communications

For most of our clients, there has been no need to completely re-architect a solution. Instead, we’ve simply been able to add a GoSilent Cube hardware VPN on top of radio communications systems already in use to provide the dual encryption tunnel needed for data protection.

 

In this instance, we’ve worked with tactical units to connect a GoSilent Cube hardware VPN along with a battery pack to the radios already in use by operatives. This addition takes an existing radio communication method and allows it to be used safely in the transmission of much more sensitive data.

 

Final Thoughts

The most important thought I can leave you with is that no two CSfC deployments are exactly the same. Each solution we’ve worked with clients to build has been unique due to the requirements of the solution, the existing infrastructure the solution must work within, or the existing limitations of components within the desired architecture.

 

Have a CSfC MA use case we didn’t mention? Talk to us about it! We are always game to tackle a new challenge, and we will work with you or your CSfC trusted integrator to find the right fit for your needs.