The Mobile Access Capability Package (MACP) was developed as part of the Commercial Solutions for Classified (CSfC) Program. It is meant to address mobile and on-the-move requirements and is specifically designed to help those working to implement a solution that will protect classified data in transit across untrusted networks.
The package typically applies to organizations that handle classified data and that are working to allow remote or external devices the ability to securely connect to their primary network.
A MACP solution could reduce the size, weight, and power, along with the technical skills required, compared to a Type 1 solution. This way, a single person can travel with a MACP solution compared to the entourage of personnel required with a Type 1 solution.
The CSfC Mobile Access Capability Package describes how an organization can build a solution that allows remote endpoints to communicate back to the highly-protected primary network over the open internet without risking security to classified information.
The goal of building a solution like this is to allow for individuals in the field to work as securely as they would from within an office connected to the secure network. Often this package is combined with the Data at Rest Capability Package to protect the data stored on said remote devices.
-- Article Continues Below --
Everything you need to know when it comes to the CSfC process.
The Commercial Solutions for Classified (CSfC) program was created to provide solutions that communicate classified data using methods that are easier or less expensive than typical Type 1 communications equipment.
The CSfC program is an NSA initiative that allows U.S. government agencies to use commercial off-the-shelf (COTS) solutions that have been certified and verified to meet national security standards.
The basic idea behind the CSfC program utilizes a well-established cybersecurity concept, “defense in depth” (DiD). By layering multiple off-the-shelf IT security solutions on top of each other, the risk that all of these solutions will fail is much lower than it would be when using a single solution.
The CSfC program allows organizations to build solutions combining multiple commercial products that have all been verified and pre-approved for use in handling classified data.
All parts listed in the Commercial Solutions for Classified (CSfC) Components List must first go through the NIAP certification process in order to prove sufficient levels of security.
This process, along with inclusion on the CSfC Components List, allows organizations to be certain that the COTS parts they are using will provide enough security to keep the classified information they transmit securely.
Proper implementation of CSfC requires at least half a dozen components from different vendors in which each component within your final product will need to be CSfC approved.
To simplify the process, NSA provides Capability Packages, which are reference architectures to be used as a starting point for building a CSfC solution. Using a Capability Package greatly increases the odds that your final CSfC solution will receive NSA certification.
The Mobile Access Capability Package provides high-level reference designs for solutions to provide mobile connectivity and corresponding configuration information that allows you to select parts from the Commercial Solutions for Classified (CSfC) Components List to be assured your product will have sufficient protection for classified data in transit.
To implement a mobile access solution successfully based on the capability package, you’ll need to ensure all Threshold requirements, and the corresponding applicable Objective requirements for the capability you want, are implemented.
You’ll want to do your best in all cases to meet the Objective requirements, but it may not always be possible. In those cases, your solution must meet at least the minimum Threshold requirements.
The CSfC Mobile Access Capability Package specifies three different types of networks: Red, Gray, and Black. This terminology is used to describe the level of protection required for each network.
The CSfC Mobile Access Capability Package provides specific details on the differences between types of EUDs which may connect to a network from the outside.
To successfully implement Data-at-Rest (DAR) requirements, your end device must be one of the following:
The CSfC Mobile Access Capability Package details specific requirements for all of the following components of a solution:
When building your solution, use the capability package to determine what the requirements are for each component, and then find a provider of each component on the CSfC Components List.
If you’re daunted by the very prospect of getting started, NSA also provides a list of Trusted Integrators - third-party contractors who have met a strict set of criteria and can help you navigate the CSfC process, offering their assistance and technical expertise along the way. If you’d prefer not to develop a solution in-house, there are also a number of vendors that make CSfC kits.
After finding the right CSfC vendor and outlining your use case, you can remain fairly hands-off during the development process. Once this is complete, you can submit the final CSfC solution to NSA for approval.
No matter your level of technical expertise or time commitment, a CSfC solution is within reach.
The initial use case that really initiated the MACP was to allow traveling executives to check emails from mobile devices or when they were away from the office. It is often employed for users that require regular travel but still need to be able to access classified information in the execution of their job.
The Mobile Access Capability Package is also used frequently for law enforcement agencies that need the ability to set up mobile security operations centers (SOCs) or command centers at a moment’s notice. It is also highly applicable to users who need to connect over 4G or satellite connections in a pinch.