CSfC Frequently Asked Questions (FAQs)

General FAQs

Collapse All Expand All
 What is CSfC?

Commercial Solutions for Classified (CSfC) is NSA’s commercial Cybersecurity strategy that leverages industry innovation to deliver solutions with efficiency and security. The program is founded on the principle that properly configured and layered solutions can provide adequate protection of classified data in a variety of different applications. NSA/CSS policy mandates CSfC as the first option to be considered to satisfy a CS requirement.

 Who oversees/manages CSfC?

The National Security Agency (NSA) oversees/manages the Commercial Solutions for Classified (CSfC) program.

 Where can additional information be found for CSfC?

Additional information about the CSfC program can be found online via SIPRNet or JWICS.

 Who are the typical CSfC clients?

Typical CSfC clients are National Security Systems (NSS) stakeholders, which includes the Department of Defense (DoD), the Intelligence Community (IC), Military Services and other federal agencies. These clients utilize commercial solutions based on CSfC Capability Packages (CPs) to quickly implement Cybersecurity solutions to satisfy their mission objectives.

 Is there Committee on National Security Systems (CNSS) Policy on CSfC?

Yes. CNSS Policy 7, dated 9 December 2015, applies to all USG Departments and Agencies that use, or plan to use, implement, or test CSfC solutions to protect NSS. It provides a minimum set of security measures required and directs Departments and Agencies on how to safeguard NSS, and the information contained therein.

Additionally, CNSS Policy 11, dated 1 June 2013, establishes the preferential use of layered COTS product solutions to protect information on NSS and establishes processes and procedures for the evaluation and acquisition of Commercial Off The Shelf (COTS) and Government Off The Shelf (GOTS) Information Assurance (IA) or IA-enabled IT products to be used on United States Government (USG) NSS.

 Why does NSA have a commercial cybersecurity strategy?

U.S. Government customers increasingly require immediate use of the market’s latest commercial hardware and software technologies within National Security Systems to achieve mission objectives. In response to rapidly evolving customer requirements, the NSA is developing information assurance/cybersecurity solutions based on emerging technologies.

 Why would a client want to use CSfC?

The Commercial Solutions for Classified (CSfC) Program harnesses the power of commercial industry, and provides a secure alternative to GOTS IA solutions. It has transformed the delivery of cybersecurity solutions to NSS customers, including Combatant Commands, Military Services and USG departments and agencies. As a result of NSA’s investment into research and application of commercial technologies, NSS customers can securely communicate using commercial products.

Benefits include:

  • End-to-End Solutions – Provides NSA designed and approved solutions, leveraging a cadre of vetted, trusted system integrators.

  • Flexibility and Transparency – Leverages NIAP-validated components, satisfying US and Collaborative Protection Profile requirements, validated against international Common Criteria.

  • Cost Effectiveness and Efficiency – Allows clients to keep pace with technological progress and employs the latest capabilities in their systems and networks. Accelerates the time required to build, evaluate and deploy cybersecurity solutions by utilizing technologies already available to the commercial sector. Potential cost savings may be realized through marketplace competition and rapidly deployable, scalable commercial products.

  • Standards based – Leverages open, non-proprietary interoperability and security standards.

  • Monitoring and Response – Provides situational awareness about components use and location, as well as documented incident handling procedures.

  • Technical Expertise – Driven by NSA’s world-class team of system engineers, threat analysts, and cyber experts

 What is the client’s role in CSfC? What responsibilities will the client have in stating their requirements and managing their security solutions?

CSfC allows clients to use COTS products, and to tailor their solution, to meet their specific performance and environmental needs. This results in an optimal IA/cybersecurity solution for the client. To support this effort, NSA has developed, approved and published Capability Packages (CPs). For information, or assistance in determining whether an approved CP meets their needs, clients may engage NSA through their designated NSA client advocates and the NSA Client Contact Center.

Clients must register all CSfC solutions operating on NSS, or protecting NSS information. This includes submitting the appropriate compliance checklist, registration form and network diagrams. Although not mandatory, CSfC strongly encourages working with a Trusted Integrator while designing, building and testing a CSfC solution. Clients are responsible for obtaining, under their organization’s established accreditation and approval process, certification and accreditation of the client implementation of a CP. A client is strongly encouraged to email the CSfC PMO (CSfC@nsa.gov) early in the process to advise NSA that you plan to register a solution before finalizing your design.

 How often is the CSfC website updated?

CSfC maintains a web presence on multiple security domains, and they are updated frequently to reflect changes and enhancements to the Capability Packages/AnnexesComponents List, and Trusted Integrator List. The CPs/Annexes available on the websites are reviewed/updated biannually.

 Can commercial industry participate to help develop requirements for commercial components?

Yes, NSA encourages innovation and works with technical communities from across industry, government and academia. Together, they develop product-level requirements called USG Protection Profiles (PPs). Additionally, commercial industry can participate by taking part in Technical Communities (TCs) that help with the development of PPs. 

 Does CSfC specify any physical security requirements?

Yes, required physical security requirements are specified in the corresponding CSfC Capability Packages or documented in the relevant Protection Profiles (PP). These requirements may include, but are not limited to, anti-tamper, tempest, and authentication.

 What assurance features are incorporated into the CSfC solution designs?

Multiple levels of assurance are incorporated into every CSfC solution.  These features begin at the design phase and continue through the solution lifecycle with periodic assessments. Assurance features are customized with individual implementations, however they typically include:

  • Product diversity using layered solutions for commercial components.

  • Component selections from the approved CSfC Components List.  The list ensures components have satisfied specific requirements and evaluation by a Common Criteria Testing Lab. Which includes compliance with the applicable public standards and protocols as specified in the PPs and CSfC CPs

  • Risk models and risk assessments for CSfC prototypes and CPs.

  • Analysis of standards, protocols and algorithms used in a particular solution or prototype

  • Vulnerability analysis of appropriate products and solutions, as well as follow-on National Manager Risk Notifications and mitigation guidance, as needed.

  • Established security incident response process.

  • Security testing of CPs that provide sufficient guidance for accreditors to make informed decisions. Also, an independent senior review of CPs to provide high-level security and configuration guidance.

 Can a CSfC solution be used on coalition networks?

CSfC is an appropriate solution for which the client is protecting information in transit to foreign nationals.

 Can a CSfC solution be deployed to replace a Protected Distribution System (PDS)?

There is a strong business case for deploying a CSfC solution as a replacement for a PDS. PDSs with COMSEC CCIs may be more costly and logistically intensive compared to modern technologies and architectures. However, individual requirements and solutions may vary.  Local policy justification and cost analysis should be conducted.

 Does CSfC replace NSA's Government-of-the-Shelf (GOTS) IA strategy?

No, CSfC is a secure alternative to GOTS. NSA will examine the client’s needs to ensure the right tool is used at the right place and in the right environment.

 Does NSA still support GOTS, and is it as secure as COTS cyber security solutions?

NSA’s strategy for protecting classified information continues to employ both COTS and GOTS solutions. However, NSA will look first to CSfC in helping clients meet their needs for protecting classified information.

NSA continues to support clients who already use GOTS or who have needs that can only be met via GOTS. CSfC is focused on IA/cybersecurity solutions that feature properly configured and layered COTS products to provide adequate protection of classified data.

Capability Package FAQs

Collapse All Expand All
 What is a CP and what approved CPs are listed on the CSfC website?

Capability Packages (CPs) are solution-level specifications and the foundation of the CSfC Program. They are vendor-agnostic and provide high-level security and configuration guidance.
NSA uses a defense-in-depth approach using properly configured, layered solutions to provide adequate protection of classified data for a variety of different capabilities. CPs support this by providing high-level reference designs and corresponding configuration information. Clients can then select COTS products from the CSfC components list and properly configure those products.  This results in a level of assurance sufficient for protecting classified and unclassified National Security Systems’ (NSS) data.
The National Manager approved capabilities are:

 How often will Capability Packages (CPs) be changed, and how are the changes managed?

CPs are reviewed by NSA semi-annually and revised to keep on pace with changing technology and policies. CPs incorporate lessons learned from early adopters before additional security products and services are selected. Updates are driven by new client needs, technology advances, policies and problems encountered with the use of existing documents.

NSA retains responsibility for reviewing requests, identifying the need, and determining which changes will be implemented.

 Who designs and approves the solution-level specifications for Capability Packages?

NSA designs, develops, approves and publishes solution-level specifications as Capability Packages (CP). These CPs provide the client with ready-access to the information needed to satisfy operational requirements.

In accordance with the Committee on National Security Systems (CNSS Policy 7), “Use of Commercial Solutions to Protect National Security Systems,” the Deputy National Manager (DNM) must approve CSfC CPs developed under the CSfC process.  Furthermore, all CSfC solutions operating on, or protecting, NSS information must be registered with NSA.

Trusted Integrators (TIs) specialize in architecting together CSfC components in accordance with the CPs to ensure secure and proper solution functionality.  They support NSS clients with the implementation of solution-level specifications outlined in the CPs.  TIs do not approve the solutions.

 Who are the POCs for the published CPs?

Questions regarding the CPs can be emailed to the specific Capability Package Maintenance Teams at the following:

 Where are the Deputy National Manager approved CPs located?

Current and approved CPs are listed on the CSfC webpage at: https://www.nsa.gov/resources/Commercial -Solutions-for-Classified/Capability-Packages

 What is the difference between a “.8” and an “approved” version of a Capability Package? Can a client register a solution against .8 versions of CPs?

All solutions must be registered based upon the DNMs approved versions, which are clearly identified on the website. Clients cannot register solutions based on .8 versions. The .8 versions of the CPs are provided to initiate discussions and solicit feedback regarding possible additions to the CPs. NSA welcomes input and feedback. Opportunities to comment on .8 versions can be tracked via the CSfC Main Capability Package & Annex Schedule. To contribute to a CP/Annex in development, please contact the CSfC PMO at csfc@nsa.gov.

 What are the current approved CPs and how do they work?

A brief description of each of the current Capability Packages (CPs) follows:

  • Mobile Access (MA CP)

    • The MA CP describes a general mobile access solution that protects classified information as it travels across either an untrusted network or a network consisting of multiple classification levels. This includes protecting classified data transiting wired networks, domestic cellular networks, and trusted wireless networks to include government private cellular networks and government private Wi-Fi networks.

    • This solution supports connecting End User Devices (EUDs) to a classified network via two layers of encryption terminated on the EUD, if the EUD and the network operate at the same security level. The MA solution uses two nested, independent tunnels to protect the confidentiality and integrity of data (including voice and video) as it transits the untrusted network. The MA solution utilizes IPsec as the outer tunnel and, depending on the solution design, IPsec or Transport Layer Security (TLS) as the inner layer of protection.

  • Campus WLAN (WLAN CP)

    • The WLAN CP enables the client to meet the demand for commercial End User Devices (EUDs) -- such as tablets, smartphones, and laptop computers -- to access secure enterprise services over a campus wireless network. The Campus WLAN CP enables the client to implement layered encryption between a secure network and an EUD.

    • The WLAN CP provides a reference architecture and corresponding configuration information leveraging the list of COTS products from the CSfC Components List. Approved COTS devices will be used for the client’s Campus A wireless local area network (WLAN) solution which, when properly configured, will achieve a level of assurance sufficient for protecting classified data while in transit. Suite B algorithms use layers of COTS products to protect classified data.

  • Multi-Site Connectivity (MSC CP)

    • The MSC CP (sometimes referred to as “VPN 3.2 CP”) describes a general MSC solution to protect classified information as it travels across either an untrusted network or a network of a different security level. The solution supports interconnecting two or more networks operating at the same security level via encryption tunnels, where the security level encompasses the classification level, list of compartments, dissemination controls, and other such controls over information. The solution provides sufficient flexibility to be applicable to many use cases of MSC implementations.

    • The MSC Solution uses two nested, independent encryption tunnels to protect the confidentiality and integrity of data as it transits the untrusted network. The two encryption tunnels protecting a data flow can use either Internet Protocol Security (IPsec) generated by a Virtual Private Network (VPN) Gateway or Media Access Control Security (MACsec) generated by a MACsec Device. VPN Gateways and MACsec Devices are implemented as part of the network infrastructure.

  • Data at Rest Capability Package (DAR CP)

    • The DAR CP enables customers to implement two independent layers of encryption for providing protection for stored information using NSA approved cryptography while the End User Device (EUD) is powered off or in an unauthenticated state (defined as prior to a user presenting credentials and being validated by both layers of the DAR solution). Specific data to be protected must be determined by the data owner.

    • Although the DAR solution designs can protect the confidentiality of data and render the EUD unclassified, it does not protect the integrity of an EUD outside of the control of an approved user. Therefore, implementing organizations, as part of their solution, must define the circumstances in which an EUD is to be considered outside of the Positive Control of authorized users (i.e., "lost"). Authorizing Officials (AOs) will define the circumstances for considering a device outside of the Positive Control of an authorized user that aligns with the intended mission and threat environment for which the solution will be deployed.

 Where can information about future direction and requirements for new/revised CPs be located?

Updates will be posted to the Coming Soon Page as new information becomes available. Also, any client wishing to receive email notifications about updates to this website may email the CSfC PMO at csfc@nsa.gov with any questions. CSfC information is available at:

 How can clients be more successful implementing solutions in compliance with CP requirements?

Clients can improve the likelihood of success for their solution implementation by utilizing the services of an experienced solution integrator. A list of approved Trusted Integrators is available at:

https://www.nsa.gov/Resources/Commercial-Solutions-for-Classified-Program/Trusted-Integrator-List/

 Does the client need to notify NSA if any changes are made to the solution implementation of the Capability Package?

Yes, if a Trusted Integrator or the client decides to make changes to a solution implementation that results in the solution no longer conforming to a current CP, the client must notify NSA.

 What are Retransmission Devices (RDs)?

The government-owned RD is a category of devices that includes Wi-Fi hotspots and mobile routers. On the external side, the RD can be connected to any type of medium (e.g., cellular, Wi-Fi, SATCOM, Ethernet) to gain access to a Wide Area Network. On the internal side, the RD is connected to EUDs either through an Ethernet cable or Wi-Fi. When the RD is a Wi-Fi access point connected to the EUD (or multiple EUDs), the Wi-Fi network must implement Wi-Fi Protected Access II (WPA2) with Pre-Shared Key (PSK). The EUD must be configured to only permit connections to authorized RDs. RDs are only permitted to establish connectivity to the Black Network, and may not be placed between Outer Encryption Components and Inner Encryption Components. More information on RD specifications and requirements can be found by accessing the Mobile Access Capability Package (MA CP).

 Since biometrics are optional, are there any plans for specific supplemental CSfC selections in this area?

While there are biometric details written into NIAP's MDF PP, there are currently no biometric selections for CSfC.

 Will biometrics, if allowed, be limited to only the fingerprint template?

As specified in the Mobile Access Capability Package (MA CP 2.1, Section 4.4, Authentication): "The second factor will be a "something-you-have" factor manifesting as a physically separate token from the VPN EUD supplying a one-time password for the user to enter. For future versions of the MA CP, transferring this one-time password via a short-range RF communication will be explored. Allowing "something-you-are" (e.g. biometric) as a second factor is also being explored for future versions.

 Who assumes responsibility for the inherent risk in Capability Package designs?

In CSfC, the overall risk of the solution is shared.  The Deputy National Manager (DNM) for National Security Systems (NSS) assumes the inherent risk in the solution designs as specified in the published CPs. On the other hand, the Client's Authorizing Official (AO) is responsible for ensuring the fielded solution complies with the CP specifications and remains in compliance. 

 How does the alternative authentication mechanism apply with the DAR Solution? Is a primary authentication mechanism still needed?

Many products offer alternate authentication mechanisms. When implementing the DAR solution, these alternate mechanisms may be used only as a secondary (non-validated) authentication factor and must be paired with a primary authentication factor. Secondary factors may act as an additional access control or may contribute to the product’s key chain; the product’s protection profile evaluation guarantees there is no loss in strength when combining keys with potentially weaker sources.

 What does Data at Rest (DAR) have to do with Diversity and Supply Chain?

Supply Chain and Diversity co-exist with DAR. Supply chain attacks may occur during development, production, updates, distribution, shipping, in storage, during operations or at disposal. For this reason, it is imperative that all components selected for use in CSfC solutions are subject to the applicable Supply Chain Risk Management (SCRM) process to reduce the risk of acquiring compromised components.

Diversity is applied by using multiple layers with components that meet the CSfC vendor diversity requirements. This reduces the likelihood that a single vulnerability can be exploited to reveal protected information. Each component selected from the CSfC Components List must go through a Product Supply Chain Risk Management (SCRM) Assessment to determine the appropriate mitigations for the intended application of the component per the organization’s AO-approved Product SCRM process.

 How long does a client (Government Agency) have to comply with a newly released Capability Package (CP)?

Once a new version of a CP is published, the client may continue to operate up to re-registration.  In accordance with CSfC policy, the client must comply with the new version upon re-registration. CSfC PMO will send out 120-day, 60-day and 30-day notifications of registration expirations to the client via email.

 Who dictates the installation of patches for solution components for Capability Packages (CPs)?

Local policy dictates how the Security Administrator installs patches to Solution Components. This is to ensure that the latest patches and updates are applied to each product in a timely fashion. Critical patches shall be tested and subsequently applied to all components in the solution in accordance with local policy and the CPs.

Components List FAQs

Collapse All Expand All
 What is the CSfC Components List?

The CSfC Components List are NSA approved components that can be used in National Manager approved commercial IA/cybersecurity solutions. The components are architected together by the client or integrator to satisfy the reference architectures and configuration information contained in published Capability Packages (CPs). The client must ensure that the components selected will permit the necessary functionality for the selected architecture.

 Who maintains the Commercial Solutions for the Classified (CSfC) Components List?

The CSfC PMO maintains the Components List. Additional information, to include the list of components, can be found online at:

 What is the process for commercial component developers to have their products become eligible as CSfC components?

Commercial component developers, who wish for their products to be eligible for CSfC, must build them in accordance with the applicable US Government approved or collaborative Protection Profiles.  Then, they must submit their product for evaluation in accordance with the established Common Criteria process. After that, the commercial component developer will enter into an MOA with NSA.

Interested commercial component developers must complete and submit the CSfC Questionnaire for each product. Submit completed Questionnaires to: csfc_components@nsa.gov.

 What are the benefits of being included on the CSfC Components List?

In accordance with CNSS Policy 7, only approved products on the CSfC Components List can be used in commercial cybersecurity solutions protecting classified NSS data.

 Where can I see the technology categories for the CSfC Components List?

The technology categories are listed on the CSfC Components List. Additional information can be found online at:

 Where can current listings of the approved Protection Profiles (PPs) be accessed?

Currently approved and in-development listings of NIAP-approved US Government and Collaborative PPs are provided online on the NIAP site.

 Why is there an Archived Components List?

The Archived Components List outlines products that are no longer approved for use in CSfC solutions. Any client using products from the Archived Components List must transition to currently approved products when renewing a registered solution, making changes to the registered solution, or when security risks mandate a change.

 How frequently is the Components List updated?

The Components List is updated every two to three weeks or when necessitated by a significant change.

 Where can information on CSfC manufacturer diversity requirements be found?

The manufacturer diversity requirement for CSfC layered solutions has been modified to permit, subject to certain conditions, single-manufacturer implementations of both layers. The manufacturer must show sufficient independence in the code base and cryptographic implementations of the products used to implement each layer. To demonstrate this, a manufacturer must document the similarities and differences between the two products, to include cryptographic hardware components, software code base (i.e. operating system), software cryptographic libraries and development teams. It is a fundamental requirement that the code bases of the two products be significantly different. Additionally, the vendor must document measures taken to ensure that supply chain risk is no greater than would be the case for products from two different vendors. NSA will review the information and determine whether the documentation is sufficient to meet the requirements for independent layers. Manufacturer diversity will continue to be accepted to constitute independent layers Vendors who wish to submit a statement may do so at csfc_components@nsa.gov.

 Can open-source components be used in CSfC?

An open-source component may be used, provided it has a responsible sponsor and an NSA-approved plan for taking the component through the Common Criteria Evaluation.  In addition, a plan for the sustainment of the component that includes version updates and software patch installation is required. A client who wishes to use open-source components should contact csfc_components@nsa.gov and provide the evaluation, sustainment plan and the responsible parties for each open-source component.

Key Management Annex/Enterprise Gray Annex FAQs

Collapse All Expand All
 Who issues certificates?

Certificates are issued by a US PKI Certificate Authority (CA). The CSfC PMO is exploring the idea of a solution that involves a US and foreign partner nation issuing certificates from their respective sides.  

 What is the difference between Enterprise Gray (EG) and Global Gray networks?

The Enterprise Gray network allows a single Authorizing Official (AO) to implement a Commercial Solutions for Classified (CSfC) deployment for supporting a National Security System (NSS) enterprise environment. The EG deployment may feature overlap of more than one CP, centralized or remote management, enhanced scalability, or redundant or distributed infrastructure for higher availability. The Global Gray network is primarily envisioned as the sharing of a distributed CSfC ecosystem to support Data-In-Transit for large scale networks (e.g. SIPRNet) with multiple AOs assuming various responsibilities. Conceptually, a primary entity (e.g. DISA) would own/operate and provide access to this gray network as a service. Features may include those already identified for the Enterprise Gray network along with the clear benefit of interagency interoperability.

 Is there any CP that provides support for multiple security levels?

Mobile Access CP and Campus WLAN CP provide support for multiple Red networks of different security levels. The solutions provide secure connectivity between EUDs and the Red Network of the same security level while preventing EUDs from accessing Red Networks of different security levels. A single implementation of the MSC Solution may support Red networks of different security levels. The MSC CP version 1.1 provides secure connectivity between the Red networks within each security level while preventing Red networks of different security levels from communicating with one another. This enables a customer to use the same physical infrastructure to carry traffic from multiple networks.  More information regarding multiple security levels can be found here (link to MA CP, link to WLAN CP, link to MSC CP).

 Can CSfC be utilized to protect classified data exchanges with foreign partners when the US owns/operates all components of a solution?

CSfC can be used to protect classified data exchanges involving foreign partners if the US owns/operates all components of a solution.

 Can CSfC be utilized to protect classified data exchanges with multiple foreign partners connected to a bilateral network when the US owns/operates one side and foreign partner nation owns/operates the distant side?

The CSfC PMO is exploring the idea of supporting data exchanges where the US owns/operates one side and the foreign partner(s) owns/operates the distant side.

 How does CSfC mitigate supply chain concerns?

Supply chain concerns are mitigated down to an acceptable level by selecting components from the CSfC components list and utilizing a rigorous acquisition process.  Furthermore, an AO must perform due diligence when integrating commercial components for mission operations. Each component must go through a Product Supply Chain Risk Management (SCRM) Assessment to determine the appropriate mitigations for the intended application of the component per the organization’s AO-approved Product SCRM process. Additionally, CSfC addresses the supply chain concern by applying multiple layers of components that utilize Commercial National Security Algorithm (CNSA) Suite encryption and meet the CSfC vendor diversity requirements, which then reduces the likelihood that a single vulnerability can be exploited to reveal protected information.

 What is Commercial National Security Algorithm (CNSA) suite encryption?

CNSA algorithms (previously known as Suite B) are approved by the National Institute of Standards and Technology (NIST). The CNSA suite is a set of commercial algorithms that includes cryptographic algorithms for confidentiality, key exchange, digital signature and hashing capable of protecting data through the Top-Secret level. Specific protocols are in the Capability Packages (CPs).

 What happened to Suite B? Why was it replaced with the CNSA suite?

NSA issued a CNSS Advisory Memorandum 02-15 listing cryptographic algorithms that can be used in NSS.  The CNSA Suite replaces the current Suite B Algorithms and provides new algorithms for clients who are looking for mitigations to perform. The transition from Suite B to CNSA is a result of NSS using more complex approved cryptographic algorithms. For questions about Suite B and Cryptography, contact the National Cryptographic Solutions Management Office (NCSMO) at (410) 854-8577.

 What algorithms are used in CSfC solutions?

CSfC solutions use asymmetric algorithms, as defined in the Commercial National Security Algorithm (CNSA) Suite, and X.509 certificates for component authentication to establish the Outer and Inner encryption tunnels. Specifically, the following algorithms will be required to protect all NSS up to the Top-Secret level: AES 256 (confidentiality) (*Note that AES 256 is an objective requirement for WPA2 Enterprise). Other algorithms include RSA 3072 or ECDSA P-384 (digital signature and authentication), RSA 3072, DH 3072 or ECDH P-384 (key exchange), and SHA-384 (hashing and integrity). Customers protecting long-life intelligence data should contact the CSfC PMO (csfc@nsa.gov) for additional details on how symmetric key cryptography can be leveraged in the Capability Packages (CPs).

 The CSfC website states that there will be a transition from the CNSA (Commercial National Security Algorithm) suite to quantum resistance algorithms. Will this affect the use of components?

It is important to note that vendors and clients may continue to implement CNSA Suite algorithms. The preferred CNSA Suite standards should be used to the fullest extent possible when elliptic curve protocols are to be used.  They have a longer history of security evaluation and time-tested implementations than the newer protocols.

However, in order to provide more flexibility to commercial developers and clients, a transition to quantum resistant algorithms is anticipated in order to provide a quantum safe future.

 Are the CSfC Capability Packages an alternative to Type 1 attended or unattended solutions?

CSfC has not replaced Type 1. CSfC CPs are an alternative to Type 1 solutions. The CPs empower the client to implement secure solutions using independent, layered Commercial Off-the-Shelf products from the CSfC Components List. CSfC solutions can be used to protect classified data in a variety of applications.

Based on the client's needs, NSA will use the correct tool for the right job (CSfC, Type 1, etc.). Very often, the right tool can include the layered use of the commercial products in accordance with CSfC requirements. U.S. national (CNSSP-15) policy provides the protection of NSS (National Security Systems), and shall utilize CNSA (Commercial National Security Algorithm) suite solutions for protection of information systems.

 Can the CSfC solution be used to remove Taclanes from local buildings on the client’s site?

It may be possible to replace Taclanes with a CSfC solution, but it depends on several factors (requirements, AO, etc.). In general, the MSC CP is adaptable to support capabilities for multiple sites and/or multiple security levels, depending on the needs of the client. For more information on the MSC CP, please go to the CSfC website at:

https://www.nsa.gov/Resources/Commercial-Solutions-for-Classified-Program/capability-packages/#multi-site

National Information Assurance Partnership (NIAP) FAQs

Collapse All Expand All
 Where can additional information about the NIAP Evaluation and Validation Process be found?

The NIAP Evaluation and Validation Process is explained in detail at: https://www.niap-ccevs.org/Ref/Evals.cfm

 What is the approximate length of time of a NIAP evaluation?

A NIAP evaluation can be completed in less than 90 days, but must not exceed 180 days (6 months). The time it takes to evaluate/validate a product depends on many factors, including: size and complexity of the product; the amount of evidence available vs. the amount that needs to be generated; and the availability of lab resources to do the evaluation. Common Criteria evaluations conducted outside of NIAP [in other Common Criteria Recognition Arrangement (CCRA) nations] may take longer. Additional information can be found on the NIAP webpage at: https://www.niap-ccevs.org/Ref/FAQ.cfm

 Is it possible for an IT product to be evaluated in non-US labs and still be used in the Commercial Solutions for Classified (CSfC) program?

Yes, NIAP can recognize evaluations handled against NIAP-approved Protection Profiles in other schemes per the Common Criteria Recognition Arrangement (CCRA). Further information may be found at: https://www.niap-ccevs.org/Ref/CCRA.Partners.cfm

 Is it necessary to engage the National Information Assurance Partnership (NIAP) when modifying a component?

Guidelines concerning modifications to NIAP approved components can be found on NIAP’s assured continuity website, located at: https://www.niap-ccevs.org/Ref/FAQ.cfm.

 Are GOTS products evaluated by NIAP?

No, NIAP does not evaluate Government Off the Shelf (GOTS) products.

 Is Common Criteria mandatory for CSfC?

Yes, Common Criteria is mandatory for CSfC. Additionally, per CNSS Policy 7, all CSfC solutions operating on NSS systems, or protecting NSS information, must be registered with NSA.

 Why do some technology areas on the CSfC Components List have selectable requirements?

For certain technologies, the CSfC program requires specific selectable requirements from the applicable NIAP-approved Protection Profiles (PPs) to be included in a product’s Common Criteria Evaluation.  Selectable requirements are not mandatory for products to be listed on the NIAP Product Compliant List, but they are required in order for certain products to be listed on the CSfC Components List. Independent Testing Laboratories will evaluate the products to determine if they meet these requirements.


Policy FAQs

Collapse All Expand All
 Who can approve the certificate requests for Capability Packages (CPs)?

Certificate requests are approved by an authorized registration authority and submitted to the Certificate Authority in accordance with the corresponding CP.

 What is Committee on National Security Systems Policy (CNSSP) No. 7?

CNSS Policy 7 provides a minimum set of security measures required for US Government Departments and Agencies (D/A) use of CSfC solutions. The heads of D/As are ultimately responsible for protecting NSS (both classified and unclassified) that transmit, receive, process or store information using CSfC solutions.

D/As ensure all CSfC solutions comply with NSA requirements, as delineated in this policy. Implementation of CSfC solutions does not preclude the application of additional requirements associated with the security of NSS (e.g., physical security, TEMPEST, Operations Security).

 What is Committee on National Security Systems Policy (CNSSP) No. 15?

CNSS Policy 15 describes the requirements, roles and responsibilities associated with the use of public cryptologic protocols and algorithms to protect NSS and the information residing therein, or transmitted between NSS.

Protection Profiles FAQs

Collapse All Expand All
 Why are Protection Profiles (PPs) important?

Protection Profiles are implementation-independent sets of security requirements and test activities for a particular technology.  They enable achievable, repeatable and testable evaluations. PPs define security measures and assurance requirements that clients, Trusted Integrators and commercial component developers expect components to meet.

Commercial component developers who wish to have their products be eligible as CSfC components and approved for use as part of a composed, layered IA/Cybersecurity solution, must build their products in accordance with the applicable US Government approved PPs.

All products must demonstrate exact compliance to the applicable technology protection profile. NIAP assesses the results of the security evaluation conducted by an independent lab.  If the evaluation is successful, NIAP issues a validation certificate and lists the product on the US NIAP Product Compliant List.

US Customers, including Designated Approving Authorities (DAAs), Authorizing Officials (AOs) and integrators may treat the evaluation results as complying with CNSS Policy 11Acquisition of Information Assurance (IA) and IA-Enabled Information Technology Products. PPs are intended to help all stakeholders and end users meet the increasing demand for cybersecurity by making it easy to procure, deploy and utilize certified, approved products.

 If a Protection Profile does not exist for a specific CSfC technology category, what is the next logical step?

The National Information Assurance Partnership (NIAP) should be contacted directly to discuss a way forward for each specific situation. For more information, please visit the NIAP website at: https://www.niap-ccevs.org/

 Who is responsible for interoperability among systems, and will there be interoperability Protection Profiles (PPs) or Capability Packages (CPs)?

Ultimately, it is the Client’s responsibility for ensuring the solutions it procures satisfies specific interoperability needs. However, correctly utilizing the Capability PackagesProtection Profiles and leveraging the services of a Trusted Integrator will assist the client in achieving interoperability goals.

It is the commercial component developer’s responsibility to correctly implement the commercial standards that are referenced in the PP.  This enables interoperability with CNSA suite products from other commercial component developers. Clients and integrators should perform interoperability testing to ensure the components selected for their CSfC solution are interoperable.

Additionally, Capability Packages provide high-level reference designs and corresponding configuration information which facilitates, but does not guarantee, interoperability among components and systems.

 How does a vendor obtain a current Protection Profile?

Current versions of all PPs are available on the NIAP website at: https://www.niap-ccevs.org/Profile/PP.cfm

 How are updates or corrections to a Protection Profile (PP) made?

PPs are regularly updated to account for new security capabilities, address known vulnerabilities and align with industry standards and best practices. Approved, developing and archived PPs are located on the NIAP website along with other pertinent information.

 What assurances are there that a new system/capability will be CSfC compliant?

Commercial technologies from the CSfC Components List shall be used, in accordance with NSA's published CSfC Capability Packages (CPs), for protecting classified Data at Rest (DAR) or Data in Transit (DiT) for National Security Systems (NSS). Technologies must by been validated by Common Criteria Testing Labs, in accordance with the National Information Assurance Partnership (NIAP) Protection Profiles (PPs). CPs and the CSfC Components List can be found by visiting the CSfC Components List page. NIAP-validated products can be found at the NIAP website on the CCEVS Product Compliant List page. Developers who wish to submit registration packages to be evaluated for compliance, should reach out to the csfc_register@nsa.gov.

 Are IASRD requirements used in the creation of Protection Profiles?

Information Assurance Security Requirements Directive (IASRD) requirements are not used in the creation of the PPs.

 Do the optional requirements apply to CSfC?

Alternative versions of a requirement may exist in a Capability Package. Such alternative versions of a requirement are designated as being either a Threshold (T) requirement or an Objective (O) requirement. In many cases, the Threshold requirement also serves as the Objective requirement (T=O). Where both a Threshold requirement and a related Objective requirement exist, the Objective requirement improves upon the Threshold requirement and may replace the Threshold requirement in future versions of the CP. Objective requirements without a corresponding Threshold requirement are marked as "Optional", but improve upon the overall security of the solution and should be implemented where feasible.

 In a VPN solution, are all of the layers’ end–to-end (i.e., red/black/grey gateways, authentication)? For instance, when considering three classified enclaves of computers (A, B and C) where A is connected to B with a Site-to-Site VPN solution (basically, two VPN gateways in series) and B is connected to C with a HAIPE solution, is the data being sent from A to C encrypted end-to-end?

The data is not necessarily encrypted end-to-end, as not all layers are end-to-end. In the example above, data sent from A to C would not be encrypted end-to-end as there would be a Red gateway at B for traffic between A and C. Each VPN tunnel could authenticate its peer, however, in this example it does not yield true end-to-end authentication.

In the instance described above, the configuration would not be a CSfC solution. Specifically, HAIPE is a GOTS solution, so this example would have a mix of both GOTS and CSfC solutions, which is not a typical, or necessarily recommended, solution.

 Which Protection Profiles apply to the CSfC Components List?

The CSfC Components List is available on the CSfC Website. Selecting a specific component from this list will bring up specific components and the Protection Profiles that apply to them. The CSfC Components List.

Solution Registration FAQs:

Collapse All Expand All
 What is the solution registration and approval process, and what registration forms/documentation are needed?

To assist their clients, NSA has developed Capability Packages (CPs) that contain information needed to satisfy operational requirements. They are published on the CSfC website. The first step in any client’s solution registration is to review the CPS and determine if one exists to meets their needs.

For information or assistance in determining whether an approved CP satisfies their requirements, clients (e.g., Department of Defense Component, Intelligence Community Organizations, and Federal Agencies) may engage NSA through their designated NSA client advocate and the NSA client contact center. Information can be viewed at: www.nsa.gov/about/contact-us/.

CSfC strongly encourages (but does not mandate) working with a Trusted Integrator while designing, building and testing a CSfC-compliant solution.  Users of the CPs are responsible for obtaining certification and accreditation of the CP’s implementation under their organization's established accreditation and approval processes.

The Capability Package Solution Registration process is outlined below:

Involve the CSfC PMO early in the process.
 
.             Customers are strongly encouraged to email
csfc_register@nsa.gov to advise NSA of their plan to register a solution before finalizing their design.
 
.             Obtain a Solution Registration Identification Number from the
CSfC PMO.
 
.             Coordinate the completed Capability Package (to include the
Registration Form, the CP-specific Compliance Checklists and the network
diagrams) with the CSfC PMO prior to submitting the AO-signed versions.
This will allow CSfC PMO to review, assist and make recommendations to smooth the formal registration process.
 
.             Using CSfC guidance, configure and test the system in a
controlled manner
 
.             Submit the signed Capability Package to the CSfC PMO, to
include:
 
-              Master Document, complete all tabs relevant to your solution
 
-              Request Classified (CSfC) Registration Review (Open in PDF &
Enable All Features)
 
-              Network diagram(s)
 
-              Concept of Operation Document (CONOPs)
 
-              Certificate Policy (CP) (Not required for DAR solution)
 
-              Certification Practice Statement (CPS) (Not required for DAR
solution)
 
-              Continuity of Operations Plan (COOP) (Not required for DAR
solution)
 
-              Solution Test Annex results OR Accreditation Testing Results
(if a renewal)
 
.             Upon verifying compliance, NSA will provide a letter
acknowledging the registration for a specific time period. Detailed information about each step in the process can be found in Section 5 of the CSfC Handbook at:
https://www.nsa.gov/Portals/70/documents/resources/everyone/csfc/csfc-custom
er-handbook.pdf
 
.             Registrations Forms are available at:
https://www.nsa.gov/Resources/Commercial-Solutions-for-Classified-Program/So
lution-Registration/
 
 What does the registration form signify when it has been signed?
By signing the Commercial Solutions for Classified (CSfC) Registration Responsibilities form, the Authorizing Official is asserting compliance with the published CP and acknowledging/accepting the risk of fielding a CSfC solution, or acknowledging inclusion of the appropriate CP deviation approval letter signed by NSA and acknowledging/accepting the risk of fielding a CSfC solution.
 
 What does the Commercial Solutions for Classified (CSfC) Registration Responsibilities Form signify when it has been signed?
By signing the Commercial Solutions for Classified (CSfC) Registration Responsibilities form, the Authorizing Official is asserting compliance with the published CP and acknowledging/accepting the risk of fielding a CSfC solution, or acknowledging inclusion of the appropriate CP deviation approval letter signed by NSA and acknowledging/accepting the risk of fielding a CSfC solution.
 How does a CSfC client renew its solution registration?

CSfC PMO will send out 120-day, 60-day and 30-day notifications of registration expiration to the client via email to POCs listed on the client’s registration forms.  The client will submit updated registration/compliance checklist forms to NSA via email at csfc_register@nsa.gov.  The client should notify CSfC PMO if completed forms are classified for appropriate delivery instructions.

Upon receipt of completed registration/compliance checklist forms, NSA will review the updated forms to ensure continued compliance with the relevant CP. If compliance is maintained, CSfC PMO will prepare a solution acknowledgement letter. Registrations will be valid for one year from the date of the acknowledgement letter. Registration approval periods for non-permanent solutions, such as for Military Exercises or Training, will be on a case-by-case basis.

 Why do solutions need to be registered?

Per CNSS Policy 7, CSfC solutions operating on NSS or protecting NSS information need to be registered with NSA. The process of registering a CSfC solution leveraging a CSfC CP as well as registration forms are located on the CSfC website: https://www.nsa.gov/Resources/Commercial-Solutions-for-Classified-Program/Solution-Registration/

 When during the registration process should NSA be notified about registering a solution for approval?

Any client is strongly encouraged to email csfc_register@nsa.gov as early as possible in the registration process to discuss their plans and approach, before procuring equipment or finalizing a design.

 Who oversees solution registrations?

The Commercial Solutions for Classified (CSfC) Program Management Office (PMO) manages all solution registrations.

 Who will confirm that the compliance checklist is accurate and sign the CSfC registration form?

The registration form, compliance checklist and network diagrams are sent to the CSfC PMO. Upon verifying compliance, NSA will provide a solution registration acknowledgement letter. The customer’s Authorizing Official (AO) will confirm that the compliance checklist is accurate and will then sign the CSfC registration form.

 Who will confirm that the master checklist is accurate and sign the Request Classified (CSfC) Registration Review form?
The master checklist is sent to the CSfC PMO. Upon verifying compliance, NSA will provide a solution registration acknowledgement letter. The customer's Authorizing Official (AO) will confirm that the master checklist is accurate and will then sign the Request Classified (CSfC) Registration Review form.
 Who is responsible for developing, approving and implementing CSfC solutions?

The CSfC PMO overseas the entire CSfC program, approves the CPs, and verifies that solutions meet the requirements of one or more CPs. NSA is responsible for creating the Capability Packages (CPs) that describe CSfC approved designs. The National Information Assurance Partnership (NIAP) is responsible for testing and approving commercial components which meet the requirements of US Government or collaborative Protection Profiles (PPs).  Clients and their AOs are responsible for implementing solutions that comply with CP specifications. 

 How long does it take to get registered?

The registration process varies case by case depending on all required forms submitted and validated, the amount of deviations, and mission priority.

 Who assumes the risk for CSfC solutions?

The Deputy National Manager for National Security Systems (NSS) assumes the inherent risk in the solution designs as specified in the published CPs. The client's Authorizing Official (AO) is responsible for ensuring the fielded solution complies with the CP specifications and remains in compliance.


Trusted Integrator FAQs

Collapse All Expand All
 Who oversees the Trusted Integrator (TI)?

The CSfC PMO vets the Trusted Integrator prior to including them on the Trusted Integrator List. The list provides a reference that a Client can use when engaging a Trusted Integrator to assist them.

 What is the role and criteria to become a Trusted Integrator for CSfC?

Trusted Integrators support the client in the implementation of CSfC CPs. Trusted Integrators specialize in bringing together CSfC components in accordance with the CSfC CPs to ensure secure and proper solution functionality.

Trusted Integrators must be prepared to demonstrate, upon request from NSA, that they have the staff and processes in place to architect, design, integrate, test, document, field and support systems that meet the requirements of the CSfC program.

In order to become a Trusted Integrator, the sponsoring organization must comply with one or more of the following standards:

  • Management and technical requirements of the International Organization for Standardization (ISO)/International Electro Technical Commission (IEC)

  • National Voluntary Lab Accreditation Program, as per NIST Handbook 150

  • ISO9000, Quality Management Systems

  • Capability Model Maturity Integration (CMMI)

 NSA will assess, based on Trusted Integrator input, whether organizations meet the criteria for CSfC Trusted Integrators.

 If a company or an integrator believes they have an innovative solution addressing CSfC requirements, what can they do?

CSfC PMO encourages and welcomes innovation.  Companies may contact the CSfC PMO at: csfc@nsa.gov.

 What costs are involved in becoming a Trusted Integrator?

There are no direct costs for becoming a Trusted Integrator. NSA, CSfC and NIAP do not charge for any evaluation oversight activities.

 Where can the list of approved CSfC Trusted Integrators be found?

The list of CSfC approved Trusted Integrators can be found by visiting the CSfC webpage at: https://www.nsa.gov/Resources/Commercial-Solutions-for-Classified-Program/Trusted-Integrator-List/

Additional information can be found online at:

 Why is it important to become a CSfC Trusted Integrator?

The CSfC PMO defines the criteria and processes of the Trusted Integrator program.  The program provides a common baseline for vetting and enlisting the services of solution integrators to conceptualize, build, process and sustain CSfC solutions on behalf of National Security System clients.

 Are CSfC customers mandated to work with a Trusted Integrator?

Although strongly recommended, it is not a requirement for customers to use a Trusted Integrator.

 Do Trusted Integrator personnel need to hold some level of clearance to perform their duties?

Clearances for at least one team member shall be at least equivalent to the level of data to be processed by the solution. Integrator personnel responsible for integrating, testing, maintaining and responding to security incidents shall hold clearances that enable them to receive risk assessments and adequately address vulnerabilities.

 Is it necessary that integrators have a secure facility?

It is not required that an integrator have a secure facility. However, the integrator must have access to a secure facility to receive classified risk assessments and test for classified vulnerabilities, if needed. The facility clearance shall be equivalent to the level of data to be processed by the solution.

A facility clearance is usually beneficial in order to be an effective TI, but workarounds are possible. During the registration process, a potential TI should enter into discussions with the CSfC PMO to discuss potential workarounds or other situations that would mitigate the need for a facility clearance.

 If all criteria are met, how long does the process typically take between Trusted Integrator application submission, the follow-up meeting, and establishment of a Memorandum of Agreement (MOA)?

The process usually takes approximately one month from receipt of application to signed MOA.

 Is it required that a Trusted Integrator (TI) hold a certification for one of the standards listed in Section 1.1 of the Criteria for CSfC Solution Integrators guidance or can the organization show compliance with one of the standards without having the certification?

Trusted Integrators are expected to satisfy all identifying criteria. Any questions concerning a specific requirement should be directed to the CSfC PMO at: csfc_integrators@nsa.gov.

 Is prior CSfC work experience a requirement to become a Trusted Integrator?

Prior CSfC work experience is not required, however any relevant experience/expertise in the requested areas should be noted on the TI application.


Web Presence FAQs

Collapse All Expand All
 Where can the latest news and updates on CSfC be found?

The CSfC webpage contains current program information:

 Where are the classified CSfC CP risk assessments located?

Classified assessments are only available on classified systems, thus only authorized users with the appropriate access will be able to access them. Specifically:

  • SIPRNet: https://intelshare.intelink.sgov.gov/sites/csfc

  • JWICS: https://csfc.sp.web.nsa.ic.gov/Pages/index.aspx

Points of Contact

Collapse All Expand All
 What is the best way to contact Commercial Solutions for Classified (CSfC) PMO for general inquiries?

All inquiries and questions can be sent to the CSfC team via an email at: csfc@nsa.gov.

 Who is the contact for Commercial Solutions for Classified (CSfC) PMO for DoD or US Government customer inquiries?

All inquiries and questions can be sent to csfc@nsa.gov

 What is the best way to contact NSA?

The best way to contact NSA is:

  • Phone: (301) 688-6524

The mailing address for the National Security Agency is:

  • 9800 Savage Rd, Suite 6272, Ft. George G. Meade, MD 20755

 Who is the contact for US Government/IC Client Inquiries?

US Government and/or IC Client inquiries can be directed to:

  • Phone: (410) 854-4790, or

  • Email: iad_ccc@nsa.gov

 Who is the contact for industry inquiries?

Industry inquiries can be directed to:

  • Phone: (410) 854-6091, or

  • Email: BAO@nsa.gov

 Who is the contact for Department of Defense (DoD)/US Government Client Inquiries?

DoD/US Government Client inquiries can be directed to:

 Where can more information about National Information Assurance Partnership (NIAP) Protection Profiles be found?

For further questions about Protection Profiles contact NIAP:

  • Phone: (410) 854-4458

  • Email: niap@niap-ccevs.org

  • Fax: (410) 854-6615