The Multi-Site Connectivity Capability Package was developed as part of the Commercial Solutions for Classified (CSfC) Program and is meant to help those working to implement a solution that will protect classified data in transit across untrusted networks.
The package typically applies to organizations that handle classified data and need to securely connect remote branches or permanent field offices together.
Each site has an individual, highly protected network, and the CSfC Multi-Site Connectivity Capability Package describes how they can build a solution that connects these various site networks together, allowing them to communicate with each other over the open internet without risking the security of classified information.
The goal of building a solution like this is to connect multiple large networks together instead of just a single device or a handful of devices.
Often this capability package is used along with the Mobile Access Capability Package to add individual or remote device functionality.
How to use the CSfC Multi-Site Connectivity Capability Package
The Commercial Solutions for Classified (CSfC) program was created to provide solutions to communicate classified data using methods that are simpler than typical Type 1 communications equipment.
The CSfC program is an NSA initiative that allows U.S. government agencies to use commercial off-the-shelf (COTS) solutions that have been verified and approved to meet national security standards.
The basic idea behind the CSfC program is “defense in depth” (DiD), a well-established concept in cybersecurity. By layering multiple commercial IT security solutions on top of each other, the risk that all of these solutions will fail is much lower than it would be when using a single solution.
The CSfC program allows organizations to build solutions combining commercial products that have all been pre-approved for use in handling classified data. All parts listed in the Commercial Solutions for Classified (CSfC) Components List must first go through the NIAP certification process.
This process, along with inclusion on the CSfC Components List, allows organizations to be certain that the commercial parts they are using will provide enough security to safeguard the classified information they transmit.
How to Build a Solution
Proper implementation of CSfC requires at least half a dozen components from different vendors, with each component within your final product needing to be CSfC approved.
To simplify the process, NSA provides Capability Packages, which are reference architectures to be used as a starting point for building a CSfC solution. Using a Capability Package greatly increases the odds that your final CSfC solution will receive NSA certification.
The Multi-Site Connectivity Capability Package includes high-level reference designs for solutions to provide site-to-site connectivity and corresponding configuration information that allows you to select parts from the Commercial Solutions for Classified (CSfC) Components List to meet your needs.
To implement a multi-site solution successfully based on the capability package, you’ll need to ensure all Threshold requirements, and the corresponding applicable Objective requirements for the capability you want, are implemented. Threshold requirements detail important component features that provide the minimally acceptable capability for security. Objective requirements specify important component features that provide the preferred level of security desired.
You’ll want to do your best in all cases to meet the Objective requirements, but it may not always be possible. In those cases, your solution must meet at least the minimum Threshold requirements.
The CSfC Multi-Site Connectivity Capability Package details specific requirements for all of the following components of a solution:
- VPN Gateways
- MACsec Devices
- Inner and Outer Encryption Components
- Port Filtering
- Configuration Change Detection
- Device Management
- Continuous Monitoring
- System Management
When building your solution, use the capability package to determine what the requirements are for each component, and then find a provider of each component on the CSfC Components List.
If you’re daunted by the very prospect of getting started, NSA also provides a list of Trusted Integrators - third-party contractors who have met a strict set of criteria and can help you navigate the CSfC process, offering their assistance and technical expertise along the way.
If you’d prefer not to develop a solution in-house, there are also a number of vendors that make CSfC kits.
After finding the right CSfC vendor and outlining your use case, you can remain fairly hands-off during the development process. Once this is complete, you can submit the final CSfC solution to NSA for approval.
To sum up: no matter your level of technical expertise or time commitment, a CSfC solution is within reach.
How the CSfC Multi-Site Connectivity Capability Package protects data
To protect classified data in transit across untrusted networks, the capability package for multi-site connectivity requires classified data packets to be encrypted twice before being sent over an untrusted network: first by an Inner Encryption Component, and then by an Outer Encryption Component.
Using two nested, independent encryption tunnels helps to protect the confidentiality and integrity of data as it moves through an untrusted network.
Each of the two tunnels helps protect data flow by using one of two independent encryption protocols:
- Internet Protocol Security (IPsec) generated by a Virtual Private Network (VPN) Gateway
- Media Access Control Security (MACsec) generated by a MACsec Device.
The outer tunnel of a dual tunnel VPN refers to the components that terminate the outer layer of encryption.
Using a double VPN tunnel provides an extra layer of protection and redundancy for classified data traveling across mobile networks. If a malicious actor manages to hack through the outer tunnel, the data remains secure thanks to the additional encryption provided by the VPN’s inner tunnel.
The double layer of encryption helps to prevent data spillage, a security incident where classified information is exposed to an unauthorized system or individual.
This means that CSfC VPN solutions can transport extremely sensitive information, all the way up to the TS (Top Secret) level.
Additional use cases for the CSfC Multi-Site Connectivity Capability Package
In addition to connecting multiple branches, some other use cases for the Multi-Site Connectivity Capability Package include setting up leased lines to office (or multiple offices) locations.
Recently, leased line providers have been building specialized solutions for government organizations. While they have a history of providing dedicated unclassified lines to the internet for their customers, in recent years, some of them have been looking to expand their core business to cover a secret-level internet connection to those offices.
They achieve this by providing leased, CSfC-approved equipment for multi-site connectivity along with the leased line, allowing offices to be immediately set up for sending and receiving classified data.