The Data at Rest Capability Package was developed as part of the Commercial Solutions for Classified (CSfC) Program and is meant to help those working to implement a solution that will protect classified data stored on end-user devices.
The package typically applies to organizations that handle classified data and that are working on a solution that ultimately leaves some number of their devices outside of their control. It is commonly combined with a CSfC mobile access solution.
The goal of building a solution that combines mobile access with data at rest is to allow for individuals in the field to work as securely as they would from within an office, connected to the secure network, while still keeping any data stored on their devices safe.
How to use the CSfC Data at Rest Capability Package
The CSfC program was created in order to provide solutions that transmit classified data using methods that are simpler or less expensive than typical Type 1 communications equipment.
The CSfC program is an initiative launched by the NSA that allows U.S. government agencies to use commercial off-the-shelf (COTS) solutions that have been verified and approved to meet national security standards (NSS).
Utilizing a well-established cybersecurity concept, “defense in depth” (DiD), the CSfC program encourages layering multiple off-the-shelf IT security solutions on top of each other. Why? The risk that all of these solutions will fail is much lower than it would be when using a single solution.
The CSfC program allows organizations to build solutions combining multiple commercial products that have all been verified and pre-approved for use in handling classified data. All parts listed in the Commercial Solutions for Classified (CSfC) Components List must first go through the NIAP certification process in order to prove sufficient levels of security.
This process, along with inclusion on the CSfC Components List, allows organizations to be certain that the commercial parts they are using will provide enough security to protect the classified information they transmit.
Read the Complete CSfC Guide
Your Complete Guide to Building a CSfC Approved Solution.
How to Build a Solution
Proper implementation of CSfC requires multiple components from different vendors, in which each part within your final product will need to be CSfC approved.
To simplify the process, NSA provides Capability Packages, which are essentially reference architectures to be used as a starting point for building CSfC solutions. Using a Capability Package makes it much easier to achieve, and greatly increases the odds that your final CSfC solution will receive, NSA certification.
The Data at Rest Capability Package provides system-level solutions frameworks for the security requirements and configuration information that allow you to select parts from the Commercial Solutions for Classified (CSfC) Components List to be assured your product will have sufficient protection for classified data stored on an end-user device.
The requirements contained in the Data at Rest Capability Package ensure that your final solution properly uses Commercial National Security (CNSA) Suite encryption. These particular algorithms meet NSA's standards for the protection of sensitive information and will be used at different levels of your COTS products.
Most importantly, you are required to use two independent layers of encryption to protect information stored on the end-user device -- typically a combination of hardware and software-based encryption. This helps to mitigate the risk of unauthorized access to any classified information that might be stored on those devices.
The capability package also details the required methods of authentication to access the device, and the data stored there, through the two layers of encryption. When the device is started up, the user will have to enter a pin to unlock the hard-drive, and then log in and unlock the software based-encryption with a separate pin.
Additionally, it provides guidance on the physical control and management of the end-user device, including what to do when it is lost. For more information on this, refer to the actual Capability Package to learn more about “lost and found” and “incident reporting” details.
The CSfC Data at Rest Capability Package specifies three different types of data: Red, Gray, and Black. This terminology is used to describe the level of protection required for each data type, as follows:
- Red Data: Unencrypted classified data that is stored or processed on the end-user device. This data can be accessed once the user authenticates through both levels of encryption.
- Gray Data: Classified data that has been through one layer of encryption. This data can be accessed once the user authenticates through the outer layer of encryption.
- Black Data: Classified data that has been through both layers of encryption. This is how data is stored when the device is off or has not been authenticated yet.
The CSfC Data at Rest Capability Package details specific requirements for all of the following components of a solution:
- Software Full Disk Encryption
- File Encryption
- Platform Encryption
- Hardware Full Disk Encryption
- End-User Device
- Removable Media
When building a CSfC solution for data at rest, use the Capability Package to determine what the requirements are for each component, reference the sample solution designs, and then find a provider on the CSfC Components List from which to source each required component.
If you’re daunted by the prospect of getting started, NSA also provides a list of Trusted Integrators. These are third-party contractors who have met a strict set of criteria and can help you navigate the CSfC process, offering their assistance and technical expertise along the way.
If you’d prefer to outsource solution development, there are also a number of vendors that make CSfC kits.
After finding the right CSfC vendor and outlining your use case, you can remain fairly hands-off during the development process. Once this is complete, you can submit the final CSfC solution to NSA for approval.
The most important thing to keep in mind is that no matter your level of technical expertise or time commitment, a CSfC solution is within reach.
Read the Case Study: CSfC Case Study
Attila’s GoSilent implemented as a secure, portable, low cost, high-bandwidth VPN for CSfC communications campus-wide.
Use Cases for the CSfC Data at Rest Capability Package
The Data at Rest Capability Package is applicable across a wide variety of use cases. The most important factor across all of these is the need to protect data on end-user devices that are outside of a strict, physically controlled environment.
This capability package is most commonly required when building a Mobile Access solution because, by definition, devices will have to be outside of a protected environment to connect.
Some common use cases for building a mobile access solution include remote access for traveling executives or field operatives.
It is also frequently required for law enforcement agencies who need the ability to set up mobile security operations centers (SOCs) or command centers at a moment’s notice.