As part of its Commercial Solutions for Classified (CSfC) program, NSA offers several Capability Packages as a starting point for users to reference when implementing their own solutions. Think of them as pre-approved "blueprints" for architecting a CSfC solution, or a solution that needs to be used in a National Security System.
The products, or components, which are used in the Capability Packages and, ultimately, to build CSfC solutions, must be selected off the NSA CSfC Components List, and can be used to build a layered solution containing multiple components.
The products on the Components List have all been certified to meet the highest levels of security, by NSA's rigorous National Information Assurance Partnership (NIAP) certification along with Federal Information Processing Standards (FIPS), when applicable, meaning that they are built in accordance with the US Government's stringent cybersecurity requirements.The CSfC Capability Packages (CPs) are reviewed, updated, and re-published by the NSA CSfC Program Management Office (CSfC PMO) for use on a regular basis.
What are the Commercial Solutions for Classified or CSfC capability packages?
CPs are a part of the CSfC program that provide vendor-agnostic requirements for the implementation and configuration of a secure solution within a certain architectural area.
There are currently four CPs:
- Mobile Access CSfC Capability Package : Describes how an organization can build a solution that allows remote endpoints to communicate back to the highly-protected primary network over unclassified networks or the open internet without risking the security of classified information.
- Multi-Site Connectivity CSfC Capability Package : Describes how an organization can build a solution that connects various site networks together and allows them to communicate with each other over unclassified networks or the open internet without risking the security of classified information.
- Wireless LAN CSfC Capability Package : Describes how an organization can build a solution that allows for campus-wide, secure wireless connectivity within a protected physical barrier or perimeter.
- Data-at-Rest CSfC Capability Package : Meant to help those working to implement a solution that will protect classified data stored on end-user devices.
The CPs are reference designs, that can be built commercial solutions or off-the-shelf products, that are meant to be customized in accordance with the user's needs and mission objectives. They are product neutral, meaning that while they offer guidance on the types of products that can be used to satisfy CSfC requirements, users must still consult the CSfC components list to select the actual commercial off the shelf (COTS) products that they will use in their CSfC architecture.
Read the Complete CSfC Guide
Your Complete Guide to Building a CSfC Approved Solution.
What are protection profiles?
NIAP and CSfC have created technology-specific certifications , rather than a general certification, that are commonly referred to as Protection Profiles (PP).
This method of certification provides assurance that a product meets exact security, data protection, and compliance requirements for a specific product category in order to provide repeatable and testable evaluation results across that entire product category.
The easiest way to navigate the CSfC components list is by protection profile.
Current protection profiles
NIAP protection profiles provide minimum baseline requirements for "mitigating well defined and described threats" within each category broken out below.
An authentication server is meant to help authenticate the identity of any individual or device looking to access a network.
Read the full NIAP protection profile for authentication servers. You can also view the list of CSfC Certified Authentication Servers on the CSfC website.
A certificate authority is an entity that issues digital certificates that certify ownership of a specific public key by a named owner.
Read the full NIAP protection profile for certificate authorities. You can also view the list of CSfC Certified Certificate Authorities, managed by the CSfC program office, on the CSfC website.
An email client is simply a program used to access and display a user's email.
End-User Device / Mobile Platform
An end-user device or mobile platform is the specific mobile device used by an individual to connect to a network, like an iPhone for instance.
Read the full NIAP protection profile for End User Devices / Mobile Platforms. You can also view the list of CSfC Certified End User Devices / Mobile Platforms on the CSfC website.
File encryption systems use cryptography to prevent unauthorized access to data or digital information.
Read the full NIAP protection profile for file encryption systems. You can also view the list of CSfC Certified File Encryption Systems on the CSfC website.
Hardware Full Drive Encryption
Some hard disk drive vendors will offer full encryption of the complete data storage to remove computer memory as a potential attack vector.
Read the full NIAP protection profile for hardware disk encryption systems for data storage. You can also view the list of CSfC Certified Hardware Full Drive Encryption Systems on the CSfC website.
Intrusion Prevention Systems
An Intrusion Prevention System (IPS) sits on your internal network and examines network traffic as it flows to detect and prevent potential attacks.
Read the full NIAP protection profile for hardware disk encryption systems. You can also view the list of CSfC Certified Intrusion Prevention Systems on the CSfC website.
IPsec VPN Client
A VPN Client is software that is installed on endpoint devices allowing them to send encrypted data or traffic to and from a central network.
IPsec VPN Gateway
A VPN Gateway is used to send encrypted data or traffic between two remote devices or networks.
Read the full NIAP protection profile for VPN clients. You can also view the list of CSfC Certified IPsec VPN Gateways on the CSfC website.
MACSEC Ethernet Encryption Devices
MACSEC ethernet encryption devices allow for Ethernet data or traffic to be securely transmitted between two ethernet connected endpoints.
Read the full NIAP protection profile for MACSEC encryption devices. You can also view the list of CSfC Certified MACSEC Ethernet Encryption Devices on the CSfC website.
Mobile Device Management
Mobile Device Management (MDM) systems are used to control the administration and access of third party mobile devices like smartphones, tablets, and laptops.
Session Border Controller
Session border controllers are used to protect VoIP-based communication and data between endpoint devices or networks.
Read the full NIAP protection profile for session border controllers. You can also view the list of CSfC Certified Session Border Controllers on the CSfC website.
Enterprise Session Controller
Enterprise session controllers are simply session border controllers packaged as part of a larger scale unified communications or contact center solution.
Read the full NIAP protection profile for enterprise session controllers. You can also view the list of CSfC Certified Enterprise Session Controllers on the CSfC website.
Read the Case Study: CSfC Case Study
Attila’s GoSilent implemented as a secure, portable, low cost, high-bandwidth VPN for CSfC communications campus-wide.
Software Full Drive Encryption
Software disk encryption solutions use software methods instead of hardware-based methods for full hard disk encryption and data protection.
Read the full NIAP protection profile for software disk encryption solutions. You can also view the list of CSfC Certified Software Full Drive Encryption Solutions on the CSfC website.
TLS Protected Servers
TLS protected servers use Transportation Layer Security (TLS) protocol to secure all communications to and from the server.
Read the full NIAP protection profile for TLS protected servers. You can also view the list of CSfC Certified TLS Protected Servers on the CSfC website.
TLS Software Applications
TLS software applications use Transportation Layer Security (TLS) protocol to secure all communications to and from the application.
Read the full NIAP protection profile for TLS protected applications. You can also view the list of CSfC Certified TLS Software Applications on the CSfC website.
Traffic Filtering Firewall
Traffic filtering firewalls are firewalls that allow you to filter out very specific types of traffic.
Read the full NIAP protection profile for traffic filtering firewalls. You can also view the list of CSfC Certified Traffic Filtering Firewalls on the CSfC website.
VoIP applications are meant to control and direct VoIP traffic.
Web browsers are installed on end-user devices and used to connect and browse the internet.
WLAN Access System
WLAN access systems control the access of users to a WLAN network .
Read the full NIAP protection profile for WLAN access systems. You can also view the list of CSfC Certified WLAN Access Systems on the CSfC website.
WLAN clients are installed on end-user devices that need access to the WLAN network .
Protection Profiles in Development
It can take anywhere from 6 to 7 months for new Protection Profiles to be built and released.
Creating and releasing a new profile is approached in four phases, with the entire process totaling between 4 and 5 months to complete:
- Initiation: In this phase, essential security requirements for the profile are being developed. This phase typically takes about one month to complete.
- Planning: In this phase, the technical community is involved in planning the necessary requirements for the profile. This phase typically takes about one month to complete.
- Development: In this phase, NIAP works to fully define threats, security requirements, and assurance activities for the profile. This phase typically takes 3 to 4 months to complete.
- Publishing: In this phase, public approval is obtained and the profile is officially released via the NIAP website. This phase typically takes one month to complete.
As of this writing, the current protection profiles under development include:
- Endpoint Detection and Response
- Host Agent
- Wireless Intrusion Detection/Prevention Systems (WIDS/WIPS)
- Voice and Video over IP (VVoIP)
Archived components list
As updates happen, products on the CSfC Component List may lose their certification. Vendors also may choose not to renew certifications when their renewal period expires. For this reason, CSfC maintains an Archived Components List .
If you have a solution that includes any component that is moved to the Archived Component List, you'll have two years to transition from that component to a new solution that is currently approved.
Taking Advantage of CSfC Trusted Integrators
If you’re daunted by the very prospect of navigating the CSfC Components List, NSA also provides a list of Trusted Integrators - third-party contractors who have met a strict set of criteria. These organizations can help you navigate the CSfC process, offering their assistance and technical expertise along the way.
Trusted Integrators have strong relationships both with the clients they serve and a deep understanding of many components on the CSfC Approved Component List. All trusted integrators are individually vetted by the CSfC PMO prior to inclusion on the list. While it is not required to use a CSfC Trusted Integrator to build your solution, it is highly encouraged by CSfC and will improve your chances of getting a solution registered quickly.
Some of the requirements that Trusted Integrators must meet in order to be included on the list are:
- Management and technical requirements of the International Organization for Standardization (ISO)/International Electro-Technical Commission (IEC)
- National Voluntary Lab Accreditation Program, as per NIST Handbook 150
- ISO9000, Quality Management Systems
- Capability Model Maturity Integration (CMMI)
The CSfC Component List is growing and changing constantly, and building a CSfC solution is just the beginning. Keep in mind that you will need to regularly review and refresh your approved solution as technology improves or changes.
Read our full guide on building a CSfC solution to learn how you can embark upon the process, and where you can find resources to make it easier.