The Mobile Access Capability Package (MACP) was developed as part of the Commercial Solutions for Classified (CSfC) Program. It is meant to address mobile and on-the-move requirements, and is specifically designed to help those working to implement a solution that will protect classified data in transit across untrusted networks.
The package typically applies to organizations that handle classified data and that are working to allow remote or external devices the ability to securely connect to their primary network.
A MACP solution could reduce the size, weight, and power, along with technical skills required, compared to a Type 1 solution. This way, a single person can travel with a MACP solution compared to the entourage of personnel required with a Type 1 solution.
The CSfC Mobile Access Capability Package describes how an organization can build a solution that allows remote endpoints to communicate back to the highly-protected primary network over the open internet without risking security to classified information.
The goal of building a solution like this is to allow for individuals in the field to work as securely as they would from within an office connected to the secure network. Often this package is combined with the Data at Rest Capability Package to protect the data stored on said remote devices.
How to use the CSfC Mobile Access Capability Package
The Commercial Solutions for Classified (CSfC) program was created to provide solutions that communicate classified data using methods that are easier or less expensive than typical Type 1 communications equipment,
The CSfC program is an NSA initiative that allows U.S. government agencies to use commercial off-the-shelf (COTS) solutions that have been certified and verified to meet national security standards.
The basic idea behind the CSfC program utilizes a well-established cybersecurity concept, “defense in depth” (DiD). By layering multiple off-the-shelf IT security solutions on top of each other, the risk that all of these solutions will fail is much lower than it would be when using a single solution.
The CSfC program allows organizations to build solutions combining multiple commercial products that have all been verified and pre-approved for use in handling classified data.
All parts listed in the Commercial Solutions for Classified (CSfC) Components List must first go through the NIAP certification process in order to prove sufficient levels of security.
This process, along with inclusion on the CSfC Components List, allows organizations to be certain that the COTS parts they are using will provide enough security to keep the classified information they transmit secure.
How to Build a CSfC Solution
Proper implementation of CSfC requires at least half a dozen components from different vendors in which each component within your final product will need to be CSfC approved.
To simplify the process, NSA provides Capability Packages, which are reference architectures to be used as a starting point for building a CSfC solution. Using a Capability Package greatly increases the odds that your final CSfC solution will receive NSA certification.
The Mobile Access Capability Package provides high-level reference designs for solutions to provide mobile connectivity and corresponding configuration information that allows you to select parts from the Commercial Solutions for Classified (CSfC) Components List to be assured your product will have sufficient protection for classified data in transit.
To implement a mobile access solution successfully based on the capability package, you’ll need to ensure all Threshold requirements, and the corresponding applicable Objective requirements for the capability you want, are implemented.
- Threshold requirements detail important component features that provide the minimally acceptable capability for security.
- Objective requirements specify important component features that provide the preferred level of security desired.
You’ll want to do your best in all cases to meet the Objective requirements, but it may not always be possible. In those cases, your solution must meet at least the minimum Threshold requirements.
The CSfC Mobile Access Capability Package specifies three different types of networks: Red, Gray, and Black. This terminology is used to describe the level of protection required for each network.
- Red Network: Data on the Red network consists of unencrypted classified data and a Red Network contains only Red data. By definition, a Red Network is controlled by the solution owner or a trusted third party. End user devices (EUDs) on the Red Network may only communicate with other devices through the Mobile Access solution if both operate at the same security level. Red Network administration is responsible for managing the inner encryption settings.
- Gray Network: Data on the Gray network is classified data that has been encrypted a single time. Gray Networks are composed of Gray data and Gray Management Services, including firewalls and security information and event management software (SIEMs), managed through a Gray administration workstation. Gray Networks are controlled, both physically and logically, by the solution owner or a trusted third party. Gray Network administration can manage only outer, not inner, encryption.
- Black Network: Black networks contain classified data that has been encrypted two times. This is the network connecting the inner and outer VPN components together. Black Networks are not required to be under the control of the solution owner and may be operated by an untrusted third party.
The CSfC Mobile Access Capability Package provides specific details on the differences between types of EUDs which may connect to a network from the outside.
To successfully implement Data-at-Rest (DAR) requirements, your end device must be one of the following:
- EUD with DAR: The DAR solution implemented on the EUD must be approved by the NSA. It has to be registered with NSA’s DAR Capability Package and approved as a solution for the protection of classified information at the Red Network level. In this case, continuous physical control of the EUD must be maintained, without fail.
- Classified EUD: If this design option is chosen, the EUD must be treated as a classified device and can only be used when applying appropriate physical security measures. The EUD must also use encryption capabilities to protect any private keys and classified information stored on the device. Again, in this case, continuous physical control of the EUD must be maintained, without fail.
- Thin EUD: This option implements techniques to design and build the EUD in such a way that it prevents any classified information from being saved in persistent storage on the physical device. Some methods for achieving this include using a virtual desktop infrastructure (VDI) configured to stop any data Red Network-level data from being saved on the EUD, restricting the virtual machine to a non-persistent state, and configuring the operating system on the EUD to stop users from saving data locally. In this instance, the EUD must again use encryption capabilities to protect any private keys and classified information stored on the device. Again, in this case, continuous physical control of the EUD must be maintained, without fail.
The CSfC Mobile Access Capability Package details specific requirements for all of the following components of a solution:
- Outer Firewall
- Outer VPN Gateway
- Gray Firewall
- Inner Firewall
- Gray Management Services
- Inner Encryption Components
- Red Management Components
- Public Key Infrastructure Components
- End-User Device Components
- Outer VPN Components
- Continuous Monitoring
- Key Management
When building your solution, use the capability package to determine what the requirements are for each component, and then find a provider of each component on the CSfC Components List.
If you’re daunted by the very prospect of getting started, NSA also provides a list of Trusted Integrators - third-party contractors who have met a strict set of criteria and can help you navigate the CSfC process, offering their assistance and technical expertise along the way.
If you’d prefer not to develop a solution in-house, there are also a number of vendors that make CSfC kits.
After finding the right CSfC vendor and outlining your use case, you can remain fairly hands-off during the development process. Once this is complete, you can submit the final CSfC solution to NSA for approval.
No matter your level of technical expertise or time commitment, a CSfC solution is within reach.
Use Cases for the CSfC Mobile Access Capability Package
The initial use case that really initiated the MACP was to allow traveling executives to check emails from mobile devices or when they were away from the office. It is often employed for users that require regular travel but still need to be able to access classified information in the execution of their job.
The Mobile Access Capability Package is also used frequently for law enforcement agencies that need the ability to set up mobile security operations centers (SOCs) or command centers at a moment’s notice. It is also highly applicable to users who need to connect over 4G or satellite connections in a pinch.