The Wireless LAN Capability Package was developed as part of the Commercial Solutions for Classified (CSfC) Program and is meant to help those working to implement a solution that will protect classified data in transit across campus-wide networks.
The package typically applies to organizations that handle classified data and are working to build out a campus-wide solution for Wi-Fi connectivity. In these kinds of cases, the site will need to have a physical, protected barrier surrounding it to ensure no unauthorized parties can access the network.
The goal of building a solution like this is to provide something similar in convenience and function to cross-campus Wi-Fi connectivity for onsite workers, while maintaining security for classified data.
How to use the CSfC Wireless LAN Capability Package
The Commercial Solutions for Classified (CSfC) program was created to provide solutions to communicate classified data using methods that are simpler than typical Type 1 communications equipment. It is an NSA initiative that allows U.S. government agencies to use commercial off-the-shelf (COTS) products and technologies that have been verified and approved to meet national security standards.
The basic idea behind the CSfC program is “defense in depth” (DiD), a well-established concept in cybersecurity that involves layering multiple commercial IT security solutions on top of each other in the belief that the risk that all of these solutions will fail is much lower than it would be when using a single solution.
The CSfC program allows organizations to build solutions using commercial products that have all been pre-approved for use in handling classified data. All parts listed in the Commercial Solutions for Classified (CSfC) Components List must first go through the NIAP certification process.
This process, along with inclusion on the CSfC Components List, allows organizations to be certain that the commercial parts they are using will provide enough security to keep the classified information they transmit secure.
How to Build a Solution
Proper implementation of a CSfC solution requires multiple components from different vendors in which each component within your final product must be CSfC approved.
To simplify the process, the NSA provides Capability Packages, which are essentially reference architectures to be used as a starting point for building a CSfC solution. Using a Capability Package greatly increases the odds that your final CSfC solution will receive NSA certification.
The Wireless LAN Capability Package provides high-level reference designs for building a campus-wide wireless network and corresponding configuration information that allows you to select parts from the Commercial Solutions for Classified (CSfC) Components List to meet your needs.
To implement a site-wide wireless solution successfully based on the capability package, you’ll need to ensure all "Threshold" requirements, and the corresponding applicable "Objective" requirements for the capability you want are implemented. Threshold requirements detail important component features that provide the minimally acceptable capability for security, whereas objective requirements specify important component features that provide the preferred level of security desired.
You’ll want to do your best in all cases to meet the Objective requirements, but when that's not possible, your solution must at least meet the minimum Threshold requirements.
The CSfC Wireless LAN Capability Package specifies three different types of networks: Red, Gray, and Black. This terminology is used to describe the level of protection required for each network, as follows:
- Red Network: Data on the Red network consists of unencrypted classified data, and a Red Network contains only Red data. By definition, a Red Network is controlled by the solution owner or a trusted third party and is located behind an Inner VPN Gateway with the additional protection of an Intrusion Detection or Prevention System. End user devices (EUDs) on the Red Network may only communicate with other devices through the Campus WLAN solution if both operate at the same security level.
- Gray Network: Data on the Gray network is classified data that has been encrypted a single time. The Gray network is located between an Inner VPN Gateway and the WLAN Access System. Gray Networks are composed of Gray data and Gray Management Services, including firewalls and security information and event management software (SIEMs), managed through a Gray administration workstation. Gray Networks are controlled, both physically and logically, by the solution owner or a trusted third party.
- Black Network: The Black network is the wireless network between the End User Device and the WLAN Access System, in which data is protected with two layers of encryption. Black Networks are not required to be under the control of the solution owner and may be operated by an untrusted third party.
The CSfC Wireless LAN Capability Package details specific requirements for all of the following components of a solution:
- End User Device Components
- WLAN Client Configuration Requirements
- VPN Components
- VPN Client Configuration Requirements
- WLAN Access System
- Port Filtering
- Wireless Intrusion Detection System (WIDS) Requirements
- Configuration Change Detection
- Device Management
- Continuous Monitoring
- Key Management
- Gray Firewall
When building a CSfC solution, you can use the capability package to determine what the requirements are for each component, and then use the CSfC Components List to find a provider of each component.
If you’re daunted by the very prospect of getting started, NSA also provides a list of Trusted Integrators - third-party contractors who have met a strict set of criteria. These organizations can help you navigate the CSfC process, offering their assistance and technical expertise along the way.
If you’d prefer not to develop a solution in-house, there are also a number of vendors that make CSfC kits.
After finding the right CSfC vendor and outlining your use case, you can remain fairly hands-off during the development process. Once this is complete, you can submit the final CSfC solution to NSA for approval.
To sum up: no matter your level of technical expertise or time commitment, a CSfC solution is within reach.
Use cases for the CSfC Wireless LAN Capability Package
The primary purpose of the Wireless LAN capability package is to build something as close to campus-wide Wi-Fi as possible for organizations that deal with highly sensitive, classified data.
By their nature, Wi-Fi networks aren’t inherently secure, so the Wireless LAN capability package helps organizations build something that fulfills a similar function while maintaining a high level of security. It is usually meant for coverage inside buildings or places where you have a large amount of physical space because it is very important that there are clear physical barriers to the network, with a protected access perimeter, to prevent unauthorized access to it.