How long does it take to get an NSA CSfC solution approved?

If you’re thinking about building a CSfC solution, there are a few things to consider before getting started. One of the most important things government agencies and contractors can do is be aware of the process to get your final commercial solution CSfC Certified, and have a good understanding of the things you can do to make that process easier (and faster!).

Because Archon's GoSilent network security products are approved for use in CSfC deployments and are used in national security systems, we are often asked by organizations that are considering going down the CSfC route how long it takes to get a solution approved through the CSfC office. And of course, like all good things in life, the answer is: it depends.

Quite honestly, the most important factor that will determine the timeline for your CSfC approval is you.

We’ve been lucky to work very closely with CSfC Trusted Integrators like Scott Morrison at 4n2n Solutions, LLC, and between his wealth of network security experience and ours, we can give some guidance on what to expect and what you can do to speed up this process.

In this article, you will find the answers to the following questions:

• How long does it take to build a CSfC solution?
• What factors influence the CSfC approval timeline?
• What is the process for getting a CSfC solution approved?
• How can I speed up the process of building a CSfC approved solution?
• How does the CSfC timeline compare to the timeline for NSA type 1 encryption equipment?

🔎 Related Articles: Visit the CSfC Resource Center.

How long does it take to build a CSfC solution?

In general, you can expect that building and gaining approval for a CSfC solution will take, at minimum, six months. It is rare to see an IT product designed, purchased, built and approved in this timeline, but it is possible, especially if you have a well-thought-out plan and have a prepared (and set aside) budget.

More commonly, however, we see deployments take somewhere closer to 9 to 18 months to get all the way through to completion from the time of initial idea and planning, to approval by the CSfC office, with purchasing and installation of products the stages of the process that generally take the longest.

What factors influence the CSfC approval timeline?

There are pretty standard timeframes for the parts of the process where the CSfC office is involved, but where we see the biggest variations in how long the launch of a CSfC solution ultimately takes from ideation to completion are the parts of the process that are controlled from within your organization.

The biggest determinants are:

• How long internal approvals and communication within your organization takes;
• Timeline for the approval of the budget and ultimate release of funds for technology product purchases;
• The number of reworks or revisions to your architecture design; and
• The number and size of deviations your architecture has from the capability package you are starting from.

There are plenty of things you can do to make the process quicker and easier for your organization, but starting out by evaluating how fast your organization will be able to move with the items listed above will help you set realistic expectations and prepare appropriately.

What is the process for getting a CSfC solution approved?

You will start with designing the architecture to fit your unique needs. Based on our experience, we strongly recommend that you involve the CSfC Project Management Office (PMO) early in the design process. 

Before finalizing your design, you can (and should) do all of the following:

• Advise NSA of your plan to register a solution before finalizing the product design.
• Obtain a Solution Registration Identification number.
• Coordinate with the CSfC PMO to provide your documentation ahead of obtaining a signed version with the Authorizing Official (AO) so that CSfC engineers can review, advise and make recommendations.
• Configure and test your system using guidance from CSfC engineers.

Once you have a finalized design, built a prototype and completed rigorous testing, it’s time to submit your paperwork for registration and approval by the NSA.

The CSfC Solution Registration process is as follows:

1. Complete your Capability Package (CP) documentation (keep in mind there are separate versions of the following forms for the different CPs):
1. Registration Form
2. Compliance Checklist
3. Deviation Forms (if applicable)
4. Network diagrams outlining your technology and architecture
2. Obtain a signature from your Authorizing Official (AO):
1. Send your completed paperwork to your AO to sign. By signing, an AO is “asserting compliance with the published CP and acknowledging and accepting the risk of fielding a CSfC solution” (source).
3. Submit your completed and signed documentation:
1. Completed Registration packages should be emailed directly to the CSfC PMO.
4. Obtain a letter of acknowledgment:
1. Once NSA verifies compliance, it will provide a letter of acknowledgment that registration was completed and the time period for which it will last.
2. You will be required to re-register your package at the close of that time period.
   

How can I speed up the process of building a CSfC approved solution?

There are a few very important tips we can offer to help you speed up the process and avoid some of the common pitfalls that might otherwise drag out the CSfC process.

Involve a Trusted Integrator

Trusted Integrators have both strong relationships with the clients they serve, and a deep understanding of each individual protection profile and the components on the CSfC Approved Component List. While you're not required to use a Trusted Integrator to build your solution, the CSfC program management office (PMO) highly recommends it and it will improve your chances of getting registered quickly.

If you decide to work with a CSfC Trusted Integrator, you should look for an organization with extensive experience that knows the Capability Packages inside and out. Ideally, they should have a pre-existing relationship with NSA (and be aware of how they work to protect classified data) and have experience working with the commercial products on the CSfC Components List to build a layered solution.

You should ask your potential partner how many CSfC deployments they have done and which CPs they have used to get a good sense of their prior experience.

A good partner’s experience and expertise will save you considerable time and shorten the learning curve throughout the CSfC approval process.

Engage with CSfC early

Make sure you take full advantage of the CSfC PMO office throughout the process. 

As soon as you know which CP you will be using as a starting point, and you have an idea of what you want to achieve, it's a good idea to reach out to the CSfC office and do all of the following:

• Notify them that you plan to submit a package for approval. Often they can add your name to the list to help speed up the process once you’ve submitted.
• Discuss with them any deviations you are planning from the CSfC Capability Package you are using. They will be able to point you in the right direction or tell you what you can and can’t do.
• Ideally, get written answers from the CSfC PMO to any questions you ask that you can include for reference in your final documentation for submission.
  

Submit an official intent

As soon as you have your architecture designed and have built out a Bill of Materials (BOM) with the CSfC approved products you plan to use, submit that design to the CSfC office.

You’ll want to prepare a test or pilot environment, which is fine to start before (or while) you are working on submitting your official intent.

What you want to make sure of, however, is that you submit your intent (and hear back from NSA) before you purchase the full amount of technology products for production, just in case they suggest you change something that will ultimately change your BOM.

They will review your design, typically within a matter of weeks, and let you know if something needs to be changed or if it looks good as-is. At this point, you can launch into larger-scale production purchases.

Reduce the chance of submission rejection

Once you have fully tested your solution, it will be time to submit it for final certification. NSA’s CSfC website estimates that it will take around 30 days to complete reviews of submissions and complete their evaluation.

Ultimately, the thing that will add the most time to the process of building a CSfC solution is redesigns or reworks. All of the tips provided in the sections above will help reduce the chances of this happening.

In order to help NSA review your submission faster and reduce the chance they will reject it, keep the following in mind:

• Sticking as closely as possible to a CP or existing approved solution will reduce the chance that a redesign will be required.
• Specifically call out and explain any deviations from the CP to make it easier for them to review.
• The more deviations you have from the CP, the longer you can expect a review to take.
• If a CSfC Trusted Integrator has already submitted a similar architecture for approval, it can make it very easy for NSA to compare to something that has already been approved.
• Having good relationships with both the CSfC office and your Authorizing Official (AO), and asking them questions frequently throughout the process, will help make sure, once you get to your final submission, that everything will be in order.

🔎 Related Articles: CSfC Certification.

How does the CSfC timeline compare to the timeline for NSA type 1 encryption equipment?

In terms of the timeline for the initial launch, there isn’t a clear “one is faster than the other” when comparing CSfC to type 1.

What we can tell you is that you have more direct control over the timeline for CSfC solutions than you do with type 1, and as a result, if your organization can move quickly, then you will definitely be able to stand up a CSfC solution more quickly.

With NSA Type 1 products, you are at the mercy of whenever the equipment is available. You’ll put the order in, and can end up waiting for up to two years for that equipment to be delivered. As a result, in the case of Type 1 equipment, there isn’t anything you can personally do to control the timeline.

Once your initial CSfC deployment has been approved and launched, adding additional endpoints is as simple as purchasing off-the-shelf commercial equipment and provisioning it to work within the system.

By comparison, adding additional units of Type 1 encryption equipment follows the same waiting period as the initial deployment (up to two years).

Final thoughts

One of the most attractive parts of a CSfC solution is how much control is placed in your hands. The timeline for you to plan and build a solution is 100% dependent upon you, which means that if you’re ready, you can make it happen fast!

Are you ready?