CSfC Frequently Asked Questions (FAQs)

General FAQs

Collapse All Expand All
Expand List item 268Collapse List item 268  What is CSfC?

Commercial Solutions for Classified (CSfC) is NSA’s commercial Cybersecurity strategy that leverages industry innovation to deliver solutions with efficiency and security. The program is founded on the principle that properly configured and layered solutions can provide adequate protection of classified data in a variety of different applications. NSA/CSS policy mandates CSfC as the first option to be considered to satisfy a CS requirement.

Expand List item 269Collapse List item 269  Who oversees/manages CSfC?

The National Security Agency (NSA) oversees/manages the Commercial Solutions for Classified (CSfC) program.

Expand List item 270Collapse List item 270  Where can additional information be found for CSfC?

Additional information about the CSfC program can be found online via SIPRNet or JWICS.

Expand List item 271Collapse List item 271  Who are the typical CSfC clients?

Typical CSfC clients are National Security Systems (NSS) stakeholders, which includes the Department of Defense (DoD), the Intelligence Community (IC), Military Services and other federal agencies. These clients utilize commercial solutions based on CSfC Capability Packages (CPs) to quickly implement Cybersecurity solutions to satisfy their mission objectives.

Expand List item 272Collapse List item 272  Is there Committee on National Security Systems (CNSS) Policy on CSfC?

Yes. CNSS Policy 7, dated 9 December 2015, applies to all USG Departments and Agencies that use, or plan to use, implement, or test CSfC solutions to protect NSS. It provides a minimum set of security measures required and directs Departments and Agencies on how to safeguard NSS, and the information contained therein.

Additionally, CNSS Policy 11, dated 1 June 2013, establishes the preferential use of layered COTS product solutions to protect information on NSS and establishes processes and procedures for the evaluation and acquisition of Commercial Off The Shelf (COTS) and Government Off The Shelf (GOTS) Information Assurance (IA) or IA-enabled IT products to be used on United States Government (USG) NSS.

Expand List item 273Collapse List item 273  Why does NSA have a commercial cybersecurity strategy?

U.S. Government customers increasingly require immediate use of the market’s latest commercial hardware and software technologies within National Security Systems to achieve mission objectives. In response to rapidly evolving customer requirements, the NSA is developing information assurance/cybersecurity solutions based on emerging technologies.

Expand List item 274Collapse List item 274  Why would a client want to use CSfC?

The Commercial Solutions for Classified (CSfC) Program harnesses the power of commercial industry, and provides a secure alternative to GOTS IA solutions. It has transformed the delivery of cybersecurity solutions to NSS customers, including Combatant Commands, Military Services and USG departments and agencies. As a result of NSA’s investment into research and application of commercial technologies, NSS customers can securely communicate using commercial products.

Benefits include:

  • End-to-End Solutions – Provides NSA designed and approved solutions, leveraging a cadre of vetted, trusted system integrators.

  • Flexibility and Transparency – Leverages NIAP-validated components, satisfying US and Collaborative Protection Profile requirements, validated against international Common Criteria.

  • Cost Effectiveness and Efficiency – Allows clients to keep pace with technological progress and employs the latest capabilities in their systems and networks. Accelerates the time required to build, evaluate and deploy cybersecurity solutions by utilizing technologies already available to the commercial sector. Potential cost savings may be realized through marketplace competition and rapidly deployable, scalable commercial products.

  • Standards based – Leverages open, non-proprietary interoperability and security standards.

  • Monitoring and Response – Provides situational awareness about components use and location, as well as documented incident handling procedures.

  • Technical Expertise – Driven by NSA’s world-class team of system engineers, threat analysts, and cyber experts

Expand List item 275Collapse List item 275  What is the client’s role in CSfC? What responsibilities will the client have in stating their requirements and managing their security solutions?

CSfC allows clients to use COTS products, and to tailor their solution, to meet their specific performance and environmental needs. This results in an optimal IA/cybersecurity solution for the client. To support this effort, NSA has developed, approved and published Capability Packages (CPs). For information, or assistance in determining whether an approved CP meets their needs, clients may engage NSA through their designated NSA client advocates and the NSA Client Contact Center.

Clients must register all CSfC solutions operating on NSS, or protecting NSS information. This includes submitting the appropriate compliance checklist, registration form and network diagrams. Although not mandatory, CSfC strongly encourages working with a Trusted Integrator while designing, building and testing a CSfC solution. Clients are responsible for obtaining, under their organization’s established accreditation and approval process, certification and accreditation of the client implementation of a CP. A client is strongly encouraged to email the CSfC PMO (CSfC@nsa.gov) early in the process to advise NSA that you plan to register a solution before finalizing your design.

Expand List item 277Collapse List item 277  How often is the CSfC website updated?

CSfC maintains a web presence on multiple security domains, and they are updated frequently to reflect changes and enhancements to the Capability Packages/AnnexesComponents List, and Trusted Integrator List. The CPs/Annexes available on the websites are reviewed/updated biannually.

Expand List item 278Collapse List item 278  Can commercial industry participate to help develop requirements for commercial components?

Yes, NSA encourages innovation and works with technical communities from across industry, government and academia. Together, they develop product-level requirements called USG Protection Profiles (PPs). Additionally, commercial industry can participate by taking part in Technical Communities (TCs) that help with the development of PPs. 

Expand List item 279Collapse List item 279  Does CSfC specify any physical security requirements?

Yes, required physical security requirements are specified in the corresponding CSfC Capability Packages or documented in the relevant Protection Profiles (PP). These requirements may include, but are not limited to, anti-tamper, tempest, and authentication.

Expand List item 280Collapse List item 280  What assurance features are incorporated into the CSfC solution designs?

Multiple levels of assurance are incorporated into every CSfC solution.  These features begin at the design phase and continue through the solution lifecycle with periodic assessments. Assurance features are customized with individual implementations, however they typically include:

  • Product diversity using layered solutions for commercial components.

  • Component selections from the approved CSfC Components List.  The list ensures components have satisfied specific requirements and evaluation by a Common Criteria Testing Lab. Which includes compliance with the applicable public standards and protocols as specified in the PPs and CSfC CPs

  • Risk models and risk assessments for CSfC prototypes and CPs.

  • Analysis of standards, protocols and algorithms used in a particular solution or prototype

  • Vulnerability analysis of appropriate products and solutions, as well as follow-on National Manager Risk Notifications and mitigation guidance, as needed.

  • Established security incident response process.

  • Security testing of CPs that provide sufficient guidance for accreditors to make informed decisions. Also, an independent senior review of CPs to provide high-level security and configuration guidance.

Expand List item 281Collapse List item 281  Can a CSfC solution be used on coalition networks?

CSfC is an appropriate solution for which the client is protecting information in transit to foreign nationals.

Expand List item 283Collapse List item 283  Can a CSfC solution be deployed to replace a Protected Distribution System (PDS)?

There is a strong business case for deploying a CSfC solution as a replacement for a PDS. PDSs with COMSEC CCIs may be more costly and logistically intensive compared to modern technologies and architectures. However, individual requirements and solutions may vary.  Local policy justification and cost analysis should be conducted.

Expand List item 284Collapse List item 284  Does CSfC replace NSA's Government-of-the-Shelf (GOTS) IA strategy?

No, CSfC is a secure alternative to GOTS. NSA will examine the client’s needs to ensure the right tool is used at the right place and in the right environment.

Expand List item 285Collapse List item 285  Does NSA still support GOTS, and is it as secure as COTS cyber security solutions?

NSA’s strategy for protecting classified information continues to employ both COTS and GOTS solutions. However, NSA will look first to CSfC in helping clients meet their needs for protecting classified information.

NSA continues to support clients who already use GOTS or who have needs that can only be met via GOTS. CSfC is focused on IA/cybersecurity solutions that feature properly configured and layered COTS products to provide adequate protection of classified data.

Capability Package FAQs

Collapse All Expand All
Expand List item 286Collapse List item 286  What is a CP and what approved CPs are listed on the CSfC website?

Capability Packages (CPs) are solution-level specifications and the foundation of the CSfC Program. They are vendor-agnostic and provide high-level security and configuration guidance.
NSA uses a defense-in-depth approach using properly configured, layered solutions to provide adequate protection of classified data for a variety of different capabilities. CPs support this by providing high-level reference designs and corresponding configuration information. Clients can then select COTS products from the CSfC components list and properly configure those products.  This results in a level of assurance sufficient for protecting classified and unclassified National Security Systems’ (NSS) data.
The National Manager approved capabilities are:

Expand List item 287Collapse List item 287  How often will Capability Packages (CPs) be changed, and how are the changes managed?

CPs are reviewed by NSA semi-annually and revised to keep on pace with changing technology and policies. CPs incorporate lessons learned from early adopters before additional security products and services are selected. Updates are driven by new client needs, technology advances, policies and problems encountered with the use of existing documents.

NSA retains responsibility for reviewing requests, identifying the need, and determining which changes will be implemented.

Expand List item 288Collapse List item 288  Who designs and approves the solution-level specifications for Capability Packages?

NSA designs, develops, approves and publishes solution-level specifications as Capability Packages (CP). These CPs provide the client with ready-access to the information needed to satisfy operational requirements.

In accordance with the Committee on National Security Systems (CNSS Policy 7), “Use of Commercial Solutions to Protect National Security Systems,” the Deputy National Manager (DNM) must approve CSfC CPs developed under the CSfC process.  Furthermore, all CSfC solutions operating on, or protecting, NSS information must be registered with NSA.

Trusted Integrators (TIs) specialize in architecting together CSfC components in accordance with the CPs to ensure secure and proper solution functionality.  They support NSS clients with the implementation of solution-level specifications outlined in the CPs.  TIs do not approve the solutions.

Expand List item 289Collapse List item 289  Who are the POCs for the published CPs?

Questions regarding the CPs can be emailed to the specific Capability Package Maintenance Teams at the following:

Expand List item 290Collapse List item 290  Where are the Deputy National Manager approved CPs located?

Current and approved CPs are listed on the CSfC webpage at: https://www.nsa.gov/resources/Commercial -Solutions-for-Classified/Capability-Packages

Expand List item 291Collapse List item 291  What is the difference between a “.8” and an “approved” version of a Capability Package? Can a client register a solution against .8 versions of CPs?

All solutions must be registered based upon the DNMs approved versions, which are clearly identified on the website. Clients cannot register solutions based on .8 versions. The .8 versions of the CPs are provided to initiate discussions and solicit feedback regarding possible additions to the CPs. NSA welcomes input and feedback. Opportunities to comment on .8 versions can be tracked via the CSfC Main Capability Package & Annex Schedule. To contribute to a CP/Annex in development, please contact the CSfC PMO at csfc@nsa.gov.

Expand List item 292Collapse List item 292  What are the current approved CPs and how do they work?

A brief description of each of the current Capability Packages (CPs) follows:

  • Mobile Access (MA CP)

    • The MA CP describes a general mobile access solution that protects classified information as it travels across either an untrusted network or a network consisting of multiple classification levels. This includes protecting classified data transiting wired networks, domestic cellular networks, and trusted wireless networks to include government private cellular networks and government private Wi-Fi networks.

    • This solution supports connecting End User Devices (EUDs) to a classified network via two layers of encryption terminated on the EUD, if the EUD and the network operate at the same security level. The MA solution uses two nested, independent tunnels to protect the confidentiality and integrity of data (including voice and video) as it transits the untrusted network. The MA solution utilizes IPsec as the outer tunnel and, depending on the solution design, IPsec or Transport Layer Security (TLS) as the inner layer of protection.

  • Campus WLAN (WLAN CP)

    • The WLAN CP enables the client to meet the demand for commercial End User Devices (EUDs) -- such as tablets, smartphones, and laptop computers -- to access secure enterprise services over a campus wireless network. The Campus WLAN CP enables the client to implement layered encryption between a secure network and an EUD.

    • The WLAN CP provides a reference architecture and corresponding configuration information leveraging the list of COTS products from the CSfC Components List. Approved COTS devices will be used for the client’s Campus A wireless local area network (WLAN) solution which, when properly configured, will achieve a level of assurance sufficient for protecting classified data while in transit. Suite B algorithms use layers of COTS products to protect classified data.

  • Multi-Site Connectivity (MSC CP)

    • The MSC CP (sometimes referred to as “VPN 3.2 CP”) describes a general MSC solution to protect classified information as it travels across either an untrusted network or a network of a different security level. The solution supports interconnecting two or more networks operating at the same security level via encryption tunnels, where the security level encompasses the classification level, list of compartments, dissemination controls, and other such controls over information. The solution provides sufficient flexibility to be applicable to many use cases of MSC implementations.

    • The MSC Solution uses two nested, independent encryption tunnels to protect the confidentiality and integrity of data as it transits the untrusted network. The two encryption tunnels protecting a data flow can use either Internet Protocol Security (IPsec) generated by a Virtual Private Network (VPN) Gateway or Media Access Control Security (MACsec) generated by a MACsec Device. VPN Gateways and MACsec Devices are implemented as part of the network infrastructure.

  • Data at Rest Capability Package (DAR CP)

    • The DAR CP enables customers to implement two independent layers of encryption for providing protection for stored information using NSA approved cryptography while the End User Device (EUD) is powered off or in an unauthenticated state (defined as prior to a user presenting credentials and being validated by both layers of the DAR solution). Specific data to be protected must be determined by the data owner.

    • Although the DAR solution designs can protect the confidentiality of data and render the EUD unclassified, it does not protect the integrity of an EUD outside of the control of an approved user. Therefore, implementing organizations, as part of their solution, must define the circumstances in which an EUD is to be considered outside of the Positive Control of authorized users (i.e., "lost"). Authorizing Officials (AOs) will define the circumstances for considering a device outside of the Positive Control of an authorized user that aligns with the intended mission and threat environment for which the solution will be deployed.

Expand List item 293Collapse List item 293  Where can information about future direction and requirements for new/revised CPs be located?

Updates will be posted to the Coming Soon Page as new information becomes available. Also, any client wishing to receive email notifications about updates to this website may email the CSfC PMO at csfc@nsa.gov with any questions. CSfC information is available at:

Expand List item 294Collapse List item 294  How can clients be more successful implementing solutions in compliance with CP requirements?

Clients can improve the likelihood of success for their solution implementation by utilizing the services of an experienced solution integrator. A list of approved Trusted Integrators is available at:

https://www.nsa.gov/Resources/Commercial-Solutions-for-Classified-Program/Trusted-Integrator-List/

Expand List item 295Collapse List item 295  Does the client need to notify NSA if any changes are made to the solution implementation of the Capability Package?

Yes, if a Trusted Integrator or the client decides to make changes to a solution implementation that results in the solution no longer conforming to a current CP, the client must notify NSA.

Expand List item 296Collapse List item 296  What are Retransmission Devices (RDs)?

The government-owned RD is a category of devices that includes Wi-Fi hotspots and mobile routers. On the external side, the RD can be connected to any type of medium (e.g., cellular, Wi-Fi, SATCOM, Ethernet) to gain access to a Wide Area Network. On the internal side, the RD is connected to EUDs either through an Ethernet cable or Wi-Fi. When the RD is a Wi-Fi access point connected to the EUD (or multiple EUDs), the Wi-Fi network must implement Wi-Fi Protected Access II (WPA2) with Pre-Shared Key (PSK). The EUD must be configured to only permit connections to authorized RDs. RDs are only permitted to establish connectivity to the Black Network, and may not be placed between Outer Encryption Components and Inner Encryption Components. More information on RD specifications and requirements can be found by accessing the Mobile Access Capability Package (MA CP).

Expand List item 297Collapse List item 297  Since biometrics are optional, are there any plans for specific supplemental CSfC selections in this area?

While there are biometric details written into NIAP's MDF PP, there are currently no biometric selections for CSfC.

Expand List item 298Collapse List item 298  Will biometrics, if allowed, be limited to only the fingerprint template?

As specified in the Mobile Access Capability Package (MA CP 2.1, Section 4.4, Authentication): "The second factor will be a "something-you-have" factor manifesting as a physically separate token from the VPN EUD supplying a one-time password for the user to enter. For future versions of the MA CP, transferring this one-time password via a short-range RF communication will be explored. Allowing "something-you-are" (e.g. biometric) as a second factor is also being explored for future versions.

Expand List item 299Collapse List item 299  Who assumes responsibility for the inherent risk in Capability Package designs?

In CSfC, the overall risk of the solution is shared.  The Deputy National Manager (DNM) for National Security Systems (NSS) assumes the inherent risk in the solution designs as specified in the published CPs. On the other hand, the Client's Authorizing Official (AO) is responsible for ensuring the fielded solution complies with the CP specifications and remains in compliance. 

Expand List item 300Collapse List item 300  How does the alternative authentication mechanism apply with the DAR Solution? Is a primary authentication mechanism still needed?

Many products offer alternate authentication mechanisms. When implementing the DAR solution, these alternate mechanisms may be used only as a secondary (non-validated) authentication factor and must be paired with a primary authentication factor. Secondary factors may act as an additional access control or may contribute to the product’s key chain; the product’s protection profile evaluation guarantees there is no loss in strength when combining keys with potentially weaker sources.

Expand List item 301Collapse List item 301  What does Data at Rest (DAR) have to do with Diversity and Supply Chain?

Supply Chain and Diversity co-exist with DAR. Supply chain attacks may occur during development, production, updates, distribution, shipping, in storage, during operations or at disposal. For this reason, it is imperative that all components selected for use in CSfC solutions are subject to the applicable Supply Chain Risk Management (SCRM) process to reduce the risk of acquiring compromised components.

Diversity is applied by using multiple layers with components that meet the CSfC vendor diversity requirements. This reduces the likelihood that a single vulnerability can be exploited to reveal protected information. Each component selected from the CSfC Components List must go through a Product Supply Chain Risk Management (SCRM) Assessment to determine the appropriate mitigations for the intended application of the component per the organization’s AO-approved Product SCRM process.

Expand List item 302Collapse List item 302  How long does a client (Government Agency) have to comply with a newly released Capability Package (CP)?

Once a new version of a CP is published, the client may continue to operate up to re-registration.  In accordance with CSfC policy, the client must comply with the new version upon re-registration. CSfC PMO will send out 120-day, 60-day and 30-day notifications of registration expirations to the client via email.

Expand List item 303Collapse List item 303  Who dictates the installation of patches for solution components for Capability Packages (CPs)?

Local policy dictates how the Security Administrator installs patches to Solution Components. This is to ensure that the latest patches and updates are applied to each product in a timely fashion. Critical patches shall be tested and subsequently applied to all components in the solution in accordance with local policy and the CPs.

Components List FAQs

Collapse All Expand All
Expand List item 304Collapse List item 304  What is the CSfC Components List?

The CSfC Components List are NSA approved components that can be used in National Manager approved commercial IA/cybersecurity solutions. The components are architected together by the client or integrator to satisfy the reference architectures and configuration information contained in published Capability Packages (CPs). The client must ensure that the components selected will permit the necessary functionality for the selected architecture.

Expand List item 305Collapse List item 305  Who maintains the Commercial Solutions for the Classified (CSfC) Components List?

The CSfC PMO maintains the Components List. Additional information, to include the list of components, can be found online at:

Expand List item 306Collapse List item 306  What is the process for commercial component developers to have their products become eligible as CSfC components?

Commercial component developers, who wish for their products to be eligible for CSfC, must build them in accordance with the applicable US Government approved or collaborative Protection Profiles.  Then, they must submit their product for evaluation in accordance with the established Common Criteria process. After that, the commercial component developer will enter into an MOA with NSA.

Interested commercial component developers must complete and submit the CSfC Questionnaire for each product. Submit completed Questionnaires to: csfc_components@nsa.gov.

Expand List item 307Collapse List item 307  What are the benefits of being included on the CSfC Components List?

In accordance with CNSS Policy 7, only approved products on the CSfC Components List can be used in commercial cybersecurity solutions protecting classified NSS data.

Expand List item 308Collapse List item 308  Where can I see the technology categories for the CSfC Components List?

The technology categories are listed on the CSfC Components List. Additional information can be found online at:

Expand List item 309Collapse List item 309  Where can current listings of the approved Protection Profiles (PPs) be accessed?

Currently approved and in-development listings of NIAP-approved US Government and Collaborative PPs are provided online on the NIAP site.

Expand List item 310Collapse List item 310  Why is there an Archived Components List?

The Archived Components List outlines products that are no longer approved for use in CSfC solutions. Any client using products from the Archived Components List must transition to currently approved products when renewing a registered solution, making changes to the registered solution, or when security risks mandate a change.

Expand List item 311Collapse List item 311  How frequently is the Components List updated?

The Components List is updated every two to three weeks or when necessitated by a significant change.

Expand List item 312Collapse List item 312  Where can information on CSfC manufacturer diversity requirements be found?

The manufacturer diversity requirement for CSfC layered solutions has been modified to permit, subject to certain conditions, single-manufacturer implementations of both layers. The manufacturer must show sufficient independence in the code base and cryptographic implementations of the products used to implement each layer. To demonstrate this, a manufacturer must document the similarities and differences between the two products, to include cryptographic hardware components, software code base (i.e. operating system), software cryptographic libraries and development teams. It is a fundamental requirement that the code bases of the two products be significantly different. Additionally, the vendor must document measures taken to ensure that supply chain risk is no greater than would be the case for products from two different vendors. NSA will review the information and determine whether the documentation is sufficient to meet the requirements for independent layers. Manufacturer diversity will continue to be accepted to constitute independent layers Vendors who wish to submit a statement may do so at csfc_components@nsa.gov.

Expand List item 313Collapse List item 313  Can open-source components be used in CSfC?

An open-source component may be used, provided it has a responsible sponsor and an NSA-approved plan for taking the component through the Common Criteria Evaluation.  In addition, a plan for the sustainment of the component that includes version updates and software patch installation is required. A client who wishes to use open-source components should contact csfc_components@nsa.gov and provide the evaluation, sustainment plan and the responsible parties for each open-source component.

Key Management Annex/Enterprise Gray Annex FAQs

Collapse All Expand All
Expand List item 314Collapse List item 314  Who issues certificates?

Certificates are issued by a US PKI Certificate Authority (CA). The CSfC PMO is exploring the idea of a solution that involves a US and foreign partner nation issuing certificates from their respective sides.  

Expand List item 315Collapse List item 315  What is the difference between Enterprise Gray (EG) and Global Gray networks?

The Enterprise Gray network allows a single Authorizing Official (AO) to implement a Commercial Solutions for Classified (CSfC) deployment for supporting a National Security System (NSS) enterprise environment. The EG deployment may feature overlap of more than one CP, centralized or remote management, enhanced scalability, or redundant or distributed infrastructure for higher availability. The Global Gray network is primarily envisioned as the sharing of a distributed CSfC ecosystem to support Data-In-Transit for large scale networks (e.g. SIPRNet) with multiple AOs assuming various responsibilities. Conceptually, a primary entity (e.g. DISA) would own/operate and provide access to this gray network as a service. Features may include those already identified for the Enterprise Gray network along with the clear benefit of interagency interoperability.

Expand List item 316Collapse List item 316  Is there any CP that provides support for multiple security levels?

Mobile Access CP and Campus WLAN CP provide support for multiple Red networks of different security levels. The solutions provide secure connectivity between EUDs and the Red Network of the same security level while preventing EUDs from accessing Red Networks of different security levels. A single implementation of the MSC Solution may support Red networks of different security levels. The MSC CP version 1.1 provides secure connectivity between the Red networks within each security level while preventing Red networks of different security levels from communicating with one another. This enables a customer to use the same physical infrastructure to carry traffic from multiple networks.  More information regarding multiple security levels can be found here (link to MA CP, link to WLAN CP, link to MSC CP).

Expand List item 317Collapse List item 317  Can CSfC be utilized to protect classified data exchanges with foreign partners when the US owns/operates all components of a solution?

CSfC can be used to protect classified data exchanges involving foreign partners if the US owns/operates all components of a solution.

Expand List item 318Collapse List item 318  Can CSfC be utilized to protect classified data exchanges with multiple foreign partners connected to a bilateral network when the US owns/operates one side and foreign partner nation owns/operates the distant side?

The CSfC PMO is exploring the idea of supporting data exchanges where the US owns/operates one side and the foreign partner(s) owns/operates the distant side.

Expand List item 319Collapse List item 319  How does CSfC mitigate supply chain concerns?

Supply chain concerns are mitigated down to an acceptable level by selecting components from the CSfC components list and utilizing a rigorous acquisition process.  Furthermore, an AO must perform due diligence when integrating commercial components for mission operations. Each component must go through a Product Supply Chain Risk Management (SCRM) Assessment to determine the appropriate mitigations for the intended application of the component per the organization’s AO-approved Product SCRM process. Additionally, CSfC addresses the supply chain concern by applying multiple layers of components that utilize Commercial National Security Algorithm (CNSA) Suite encryption and meet the CSfC vendor diversity requirements, which then reduces the likelihood that a single vulnerability can be exploited to reveal protected information.

Expand List item 320Collapse List item 320  What is Commercial National Security Algorithm (CNSA) suite encryption?

CNSA algorithms (previously known as Suite B) are approved by the National Institute of Standards and Technology (NIST). The CNSA suite is a set of commercial algorithms that includes cryptographic algorithms for confidentiality, key exchange, digital signature and hashing capable of protecting data through the Top-Secret level. Specific protocols are in the Capability Packages (CPs).

Expand List item 321Collapse List item 321  What happened to Suite B? Why was it replaced with the CNSA suite?

NSA issued a CNSS Advisory Memorandum 02-15 listing cryptographic algorithms that can be used in NSS.  The CNSA Suite replaces the current Suite B Algorithms and provides new algorithms for clients who are looking for mitigations to perform. The transition from Suite B to CNSA is a result of NSS using more complex approved cryptographic algorithms. For questions about Suite B and Cryptography, contact the National Cryptographic Solutions Management Office (NCSMO) at (410) 854-8577.

Expand List item 322Collapse List item 322  What algorithms are used in CSfC solutions?

CSfC solutions use asymmetric algorithms, as defined in the Commercial National Security Algorithm (CNSA) Suite, and X.509 certificates for component authentication to establish the Outer and Inner encryption tunnels. Specifically, the following algorithms will be required to protect all NSS up to the Top-Secret level: AES 256 (confidentiality) (*Note that AES 256 is an objective requirement for WPA2 Enterprise). Other algorithms include RSA 3072 or ECDSA P-384 (digital signature and authentication), RSA 3072, DH 3072 or ECDH P-384 (key exchange), and SHA-384 (hashing and integrity). Customers protecting long-life intelligence data should contact the CSfC PMO (csfc@nsa.gov) for additional details on how symmetric key cryptography can be leveraged in the Capability Packages (CPs).

Expand List item 323Collapse List item 323  The CSfC website states that there will be a transition from the CNSA (Commercial National Security Algorithm) suite to quantum resistance algorithms. Will this affect the use of components?

It is important to note that vendors and clients may continue to implement CNSA Suite algorithms. The preferred CNSA Suite standards should be used to the fullest extent possible when elliptic curve protocols are to be used.  They have a longer history of security evaluation and time-tested implementations than the newer protocols.

However, in order to provide more flexibility to commercial developers and clients, a transition to quantum resistant algorithms is anticipated in order to provide a quantum safe future.

Expand List item 324Collapse List item 324  Are the CSfC Capability Packages an alternative to Type 1 attended or unattended solutions?

CSfC has not replaced Type 1. CSfC CPs are an alternative to Type 1 solutions. The CPs empower the client to implement secure solutions using independent, layered Commercial Off-the-Shelf products from the CSfC Components List. CSfC solutions can be used to protect classified data in a variety of applications.

Based on the client's needs, NSA will use the correct tool for the right job (CSfC, Type 1, etc.). Very often, the right tool can include the layered use of the commercial products in accordance with CSfC requirements. U.S. national (CNSSP-15) policy provides the protection of NSS (National Security Systems), and shall utilize CNSA (Commercial National Security Algorithm) suite solutions for protection of information systems.

Expand List item 325Collapse List item 325  Can the CSfC solution be used to remove Taclanes from local buildings on the client’s site?

It may be possible to replace Taclanes with a CSfC solution, but it depends on several factors (requirements, AO, etc.). In general, the MSC CP is adaptable to support capabilities for multiple sites and/or multiple security levels, depending on the needs of the client. For more information on the MSC CP, please go to the CSfC website at:

https://www.nsa.gov/Resources/Commercial-Solutions-for-Classified-Program/capability-packages/#multi-site

National Information Assurance Partnership (NIAP) FAQs

Collapse All Expand All
Expand List item 326Collapse List item 326  Where can additional information about the NIAP Evaluation and Validation Process be found?

The NIAP Evaluation and Validation Process is explained in detail at: https://www.niap-ccevs.org/Ref/Evals.cfm

Expand List item 327Collapse List item 327  What is the approximate length of time of a NIAP evaluation?

A NIAP evaluation can be completed in less than 90 days, but must not exceed 180 days (6 months). The time it takes to evaluate/validate a product depends on many factors, including: size and complexity of the product; the amount of evidence available vs. the amount that needs to be generated; and the availability of lab resources to do the evaluation. Common Criteria evaluations conducted outside of NIAP [in other Common Criteria Recognition Arrangement (CCRA) nations] may take longer. Additional information can be found on the NIAP webpage at: https://www.niap-ccevs.org/Ref/FAQ.cfm

Expand List item 328Collapse List item 328  Is it possible for an IT product to be evaluated in non-US labs and still be used in the Commercial Solutions for Classified (CSfC) program?

Yes, NIAP can recognize evaluations handled against NIAP-approved Protection Profiles in other schemes per the Common Criteria Recognition Arrangement (CCRA). Further information may be found at: https://www.niap-ccevs.org/Ref/CCRA.Partners.cfm

Expand List item 329Collapse List item 329  Is it necessary to engage the National Information Assurance Partnership (NIAP) when modifying a component?

Guidelines concerning modifications to NIAP approved components can be found on NIAP’s assured continuity website, located at: https://www.niap-ccevs.org/Ref/FAQ.cfm.

Expand List item 330Collapse List item 330  Are GOTS products evaluated by NIAP?

No, NIAP does not evaluate Government Off the Shelf (GOTS) products.

Expand List item 331Collapse List item 331  Is Common Criteria mandatory for CSfC?

Yes, Common Criteria is mandatory for CSfC. Additionally, per CNSS Policy 7, all CSfC solutions operating on NSS systems, or protecting NSS information, must be registered with NSA.

Expand List item 332Collapse List item 332  Why do some technology areas on the CSfC Components List have selectable requirements?

For certain technologies, the CSfC program requires specific selectable requirements from the applicable NIAP-approved Protection Profiles (PPs) to be included in a product’s Common Criteria Evaluation.  Selectable requirements are not mandatory for products to be listed on the NIAP Product Compliant List, but they are required in order for certain products to be listed on the CSfC Components List. Independent Testing Laboratories will evaluate the products to determine if they meet these requirements.


Policy FAQs

Collapse All Expand All
Expand List item 333Collapse List item 333  Who can approve the certificate requests for Capability Packages (CPs)?

Certificate requests are approved by an authorized registration authority and submitted to the Certificate Authority in accordance with the corresponding CP.

Expand List item 334Collapse List item 334  What is Committee on National Security Systems Policy (CNSSP) No. 7?

CNSS Policy 7 provides a minimum set of security measures required for US Government Departments and Agencies (D/A) use of CSfC solutions. The heads of D/As are ultimately responsible for protecting NSS (both classified and unclassified) that transmit, receive, process or store information using CSfC solutions.

D/As ensure all CSfC solutions comply with NSA requirements, as delineated in this policy. Implementation of CSfC solutions does not preclude the application of additional requirements associated with the security of NSS (e.g., physical security, TEMPEST, Operations Security).

Expand List item 335Collapse List item 335  What is Committee on National Security Systems Policy (CNSSP) No. 15?

CNSS Policy 15 describes the requirements, roles and responsibilities associated with the use of public cryptologic protocols and algorithms to protect NSS and the information residing therein, or transmitted between NSS.

Protection Profiles FAQs

Collapse All Expand All
Expand List item 336Collapse List item 336  Why are Protection Profiles (PPs) important?

Protection Profiles are implementation-independent sets of security requirements and test activities for a particular technology.  They enable achievable, repeatable and testable evaluations. PPs define security measures and assurance requirements that clients, Trusted Integrators and commercial component developers expect components to meet.

Commercial component developers who wish to have their products be eligible as CSfC components and approved for use as part of a composed, layered IA/Cybersecurity solution, must build their products in accordance with the applicable US Government approved PPs.

All products must demonstrate exact compliance to the applicable technology protection profile. NIAP assesses the results of the security evaluation conducted by an independent lab.  If the evaluation is successful, NIAP issues a validation certificate and lists the product on the US NIAP Product Compliant List.

US Customers, including Designated Approving Authorities (DAAs), Authorizing Officials (AOs) and integrators may treat the evaluation results as complying with CNSS Policy 11Acquisition of Information Assurance (IA) and IA-Enabled Information Technology Products. PPs are intended to help all stakeholders and end users meet the increasing demand for cybersecurity by making it easy to procure, deploy and utilize certified, approved products.

Expand List item 337Collapse List item 337  If a Protection Profile does not exist for a specific CSfC technology category, what is the next logical step?

The National Information Assurance Partnership (NIAP) should be contacted directly to discuss a way forward for each specific situation. For more information, please visit the NIAP website at: https://www.niap-ccevs.org/

Expand List item 338Collapse List item 338  Who is responsible for interoperability among systems, and will there be interoperability Protection Profiles (PPs) or Capability Packages (CPs)?

Ultimately, it is the Client’s responsibility for ensuring the solutions it procures satisfies specific interoperability needs. However, correctly utilizing the Capability PackagesProtection Profiles and leveraging the services of a Trusted Integrator will assist the client in achieving interoperability goals.

It is the commercial component developer’s responsibility to correctly implement the commercial standards that are referenced in the PP.  This enables interoperability with CNSA suite products from other commercial component developers. Clients and integrators should perform interoperability testing to ensure the components selected for their CSfC solution are interoperable.

Additionally, Capability Packages provide high-level reference designs and corresponding configuration information which facilitates, but does not guarantee, interoperability among components and systems.

Expand List item 339Collapse List item 339  How does a vendor obtain a current Protection Profile?

Current versions of all PPs are available on the NIAP website at: https://www.niap-ccevs.org/Profile/PP.cfm

Expand List item 340Collapse List item 340  How are updates or corrections to a Protection Profile (PP) made?

PPs are regularly updated to account for new security capabilities, address known vulnerabilities and align with industry standards and best practices. Approved, developing and archived PPs are located on the NIAP website along with other pertinent information.

Expand List item 341Collapse List item 341  What assurances are there that a new system/capability will be CSfC compliant?

Commercial technologies from the CSfC Components List shall be used, in accordance with NSA's published CSfC Capability Packages (CPs), for protecting classified Data at Rest (DAR) or Data in Transit (DiT) for National Security Systems (NSS). Technologies must by been validated by Common Criteria Testing Labs, in accordance with the National Information Assurance Partnership (NIAP) Protection Profiles (PPs). CPs and the CSfC Components List can be found by visiting the CSfC Components List page. NIAP-validated products can be found at the NIAP website on the CCEVS Product Compliant List page. Developers who wish to submit registration packages to be evaluated for compliance, should reach out to the csfc_register@nsa.gov.

Expand List item 342Collapse List item 342  Are IASRD requirements used in the creation of Protection Profiles?

Information Assurance Security Requirements Directive (IASRD) requirements are not used in the creation of the PPs.

Expand List item 344Collapse List item 344  Do the optional requirements apply to CSfC?

Alternative versions of a requirement may exist in a Capability Package. Such alternative versions of a requirement are designated as being either a Threshold (T) requirement or an Objective (O) requirement. In many cases, the Threshold requirement also serves as the Objective requirement (T=O). Where both a Threshold requirement and a related Objective requirement exist, the Objective requirement improves upon the Threshold requirement and may replace the Threshold requirement in future versions of the CP. Objective requirements without a corresponding Threshold requirement are marked as "Optional", but improve upon the overall security of the solution and should be implemented where feasible.

Expand List item 345Collapse List item 345  In a VPN solution, are all of the layers’ end–to-end (i.e., red/black/grey gateways, authentication)? For instance, when considering three classified enclaves of computers (A, B and C) where A is connected to B with a Site-to-Site VPN solution (basically, two VPN gateways in series) and B is connected to C with a HAIPE solution, is the data being sent from A to C encrypted end-to-end?

The data is not necessarily encrypted end-to-end, as not all layers are end-to-end. In the example above, data sent from A to C would not be encrypted end-to-end as there would be a Red gateway at B for traffic between A and C. Each VPN tunnel could authenticate its peer, however, in this example it does not yield true end-to-end authentication.

In the instance described above, the configuration would not be a CSfC solution. Specifically, HAIPE is a GOTS solution, so this example would have a mix of both GOTS and CSfC solutions, which is not a typical, or necessarily recommended, solution.

Expand List item 343Collapse List item 343  Which Protection Profiles apply to the CSfC Components List?

The CSfC Components List is available on the CSfC Website. Selecting a specific component from this list will bring up specific components and the Protection Profiles that apply to them. The CSfC Components List.

Solution Registration FAQs:

Collapse All Expand All
Expand List item 353Collapse List item 353  What is the solution registration and approval process, and what registration forms/documentation are needed?

To assist their clients, NSA has developed Capability Packages (CPs) that contain information needed to satisfy operational requirements. They are published on the CSfC website. The first step in any client’s solution registration is to review the CPS and determine if one exists to meets their needs.

For information or assistance in determining whether an approved CP satisfies their requirements, clients (e.g., Department of Defense Component, Intelligence Community Organizations, and Federal Agencies) may engage NSA through their designated NSA client advocate and the NSA client contact center. Information can be viewed at: www.nsa.gov/about/contact-us/.

CSfC strongly encourages (but does not mandate) working with a Trusted Integrator while designing, building and testing a CSfC-compliant solution.  Users of the CPs are responsible for obtaining certification and accreditation of the CP’s implementation under their organization's established accreditation and approval processes.

The Capability Package Solution Registration process is outlined below:

Involve the CSfC PMO early in the process.
 
.             Customers are strongly encouraged to email
csfc_register@nsa.gov to advise NSA of their plan to register a solution before finalizing their design.
 
.             Obtain a Solution Registration Identification Number from the
CSfC PMO.
 
.             Coordinate the completed Capability Package (to include the
Registration Form, the CP-specific Compliance Checklists and the network
diagrams) with the CSfC PMO prior to submitting the AO-signed versions.
This will allow CSfC PMO to review, assist and make recommendations to smooth the formal registration process.
 
.             Using CSfC guidance, configure and test the system in a
controlled manner
 
.             Submit the signed Capability Package to the CSfC PMO, to
include:
 
-              Master Document, complete all tabs relevant to your solution
 
-              Request Classified (CSfC) Registration Review (Open in PDF &
Enable All Features)
 
-              Network diagram(s)
 
-              Concept of Operation Document (CONOPs)
 
-              Certificate Policy (CP) (Not required for DAR solution)
 
-              Certification Practice Statement (CPS) (Not required for DAR
solution)
 
-              Continuity of Operations Plan (COOP) (Not required for DAR
solution)
 
-              Solution Test Annex results OR Accreditation Testing Results
(if a renewal)
 
.             Upon verifying compliance, NSA will provide a letter
acknowledging the registration for a specific time period. Detailed information about each step in the process can be found in Section 5 of the CSfC Handbook at:
https://www.nsa.gov/Portals/70/documents/resources/everyone/csfc/csfc-custom
er-handbook.pdf
 
.             Registrations Forms are available at:
https://www.nsa.gov/Resources/Commercial-Solutions-for-Classified-Program/So
lution-Registration/
 
Expand List item 810Collapse List item 810  What does the registration form signify when it has been signed?
By signing the Commercial Solutions for Classified (CSfC) Registration Responsibilities form, the Authorizing Official is asserting compliance with the published CP and acknowledging/accepting the risk of fielding a CSfC solution, or acknowledging inclusion of the appropriate CP deviation approval letter signed by NSA and acknowledging/accepting the risk of fielding a CSfC solution.
 
Expand List item 813Collapse List item 813  What does the Commercial Solutions for Classified (CSfC) Registration Responsibilities Form signify when it has been signed?
By signing the Commercial Solutions for Classified (CSfC) Registration Responsibilities form, the Authorizing Official is asserting compliance with the published CP and acknowledging/accepting the risk of fielding a CSfC solution, or acknowledging inclusion of the appropriate CP deviation approval letter signed by NSA and acknowledging/accepting the risk of fielding a CSfC solution.
Expand List item 355Collapse List item 355  How does a CSfC client renew its solution registration?

CSfC PMO will send out 120-day, 60-day and 30-day notifications of registration expiration to the client via email to POCs listed on the client’s registration forms.  The client will submit updated registration/compliance checklist forms to NSA via email at csfc_register@nsa.gov.  The client should notify CSfC PMO if completed forms are classified for appropriate delivery instructions.

Upon receipt of completed registration/compliance checklist forms, NSA will review the updated forms to ensure continued compliance with the relevant CP. If compliance is maintained, CSfC PMO will prepare a solution acknowledgement letter. Registrations will be valid for one year from the date of the acknowledgement letter. Registration approval periods for non-permanent solutions, such as for Military Exercises or Training, will be on a case-by-case basis.

Expand List item 356Collapse List item 356  Why do solutions need to be registered?

Per CNSS Policy 7, CSfC solutions operating on NSS or protecting NSS information need to be registered with NSA. The process of registering a CSfC solution leveraging a CSfC CP as well as registration forms are located on the CSfC website: https://www.nsa.gov/Resources/Commercial-Solutions-for-Classified-Program/Solution-Registration/

Expand List item 357Collapse List item 357  When during the registration process should NSA be notified about registering a solution for approval?

Any client is strongly encouraged to email csfc_register@nsa.gov as early as possible in the registration process to discuss their plans and approach, before procuring equipment or finalizing a design.

Expand List item 360Collapse List item 360  Who oversees solution registrations?

The Commercial Solutions for Classified (CSfC) Program Management Office (PMO) manages all solution registrations.

Expand List item 358Collapse List item 358  Who will confirm that the compliance checklist is accurate and sign the CSfC registration form?

The registration form, compliance checklist and network diagrams are sent to the CSfC PMO. Upon verifying compliance, NSA will provide a solution registration acknowledgement letter. The customer’s Authorizing Official (AO) will confirm that the compliance checklist is accurate and will then sign the CSfC registration form.

Expand List item 812Collapse List item 812  Who will confirm that the master checklist is accurate and sign the Request Classified (CSfC) Registration Review form?
The master checklist is sent to the CSfC PMO. Upon verifying compliance, NSA will provide a solution registration acknowledgement letter. The customer's Authorizing Official (AO) will confirm that the master checklist is accurate and will then sign the Request Classified (CSfC) Registration Review form.
Expand List item 359Collapse List item 359  Who is responsible for developing, approving and implementing CSfC solutions?

The CSfC PMO overseas the entire CSfC program, approves the CPs, and verifies that solutions meet the requirements of one or more CPs. NSA is responsible for creating the Capability Packages (CPs) that describe CSfC approved designs. The National Information Assurance Partnership (NIAP) is responsible for testing and approving commercial components which meet the requirements of US Government or collaborative Protection Profiles (PPs).  Clients and their AOs are responsible for implementing solutions that comply with CP specifications. 

Expand List item 361Collapse List item 361  How long does it take to get registered?

The registration process varies case by case depending on all required forms submitted and validated, the amount of deviations, and mission priority.

Expand List item 362Collapse List item 362  Who assumes the risk for CSfC solutions?

The Deputy National Manager for National Security Systems (NSS) assumes the inherent risk in the solution designs as specified in the published CPs. The client's Authorizing Official (AO) is responsible for ensuring the fielded solution complies with the CP specifications and remains in compliance.


Trusted Integrator FAQs

Collapse All Expand All
Expand List item 363Collapse List item 363  Who oversees the Trusted Integrator (TI)?

The CSfC PMO vets the Trusted Integrator prior to including them on the Trusted Integrator List. The list provides a reference that a Client can use when engaging a Trusted Integrator to assist them.

Expand List item 364Collapse List item 364  What is the role and criteria to become a Trusted Integrator for CSfC?

Trusted Integrators support the client in the implementation of CSfC CPs. Trusted Integrators specialize in bringing together CSfC components in accordance with the CSfC CPs to ensure secure and proper solution functionality.

Trusted Integrators must be prepared to demonstrate, upon request from NSA, that they have the staff and processes in place to architect, design, integrate, test, document, field and support systems that meet the requirements of the CSfC program.

In order to become a Trusted Integrator, the sponsoring organization must comply with one or more of the following standards:

  • Management and technical requirements of the International Organization for Standardization (ISO)/International Electro Technical Commission (IEC)

  • National Voluntary Lab Accreditation Program, as per NIST Handbook 150

  • ISO9000, Quality Management Systems

  • Capability Model Maturity Integration (CMMI)

 NSA will assess, based on Trusted Integrator input, whether organizations meet the criteria for CSfC Trusted Integrators.

Expand List item 365Collapse List item 365  If a company or an integrator believes they have an innovative solution addressing CSfC requirements, what can they do?

CSfC PMO encourages and welcomes innovation.  Companies may contact the CSfC PMO at: csfc@nsa.gov.

Expand List item 366Collapse List item 366  What costs are involved in becoming a Trusted Integrator?

There are no direct costs for becoming a Trusted Integrator. NSA, CSfC and NIAP do not charge for any evaluation oversight activities.

Expand List item 367Collapse List item 367  Where can the list of approved CSfC Trusted Integrators be found?

The list of CSfC approved Trusted Integrators can be found by visiting the CSfC webpage at: https://www.nsa.gov/Resources/Commercial-Solutions-for-Classified-Program/Trusted-Integrator-List/

Additional information can be found online at:

Expand List item 368Collapse List item 368  Why is it important to become a CSfC Trusted Integrator?

The CSfC PMO defines the criteria and processes of the Trusted Integrator program.  The program provides a common baseline for vetting and enlisting the services of solution integrators to conceptualize, build, process and sustain CSfC solutions on behalf of National Security System clients.

Expand List item 369Collapse List item 369  Are CSfC customers mandated to work with a Trusted Integrator?

Although strongly recommended, it is not a requirement for customers to use a Trusted Integrator.

Expand List item 370Collapse List item 370  Do Trusted Integrator personnel need to hold some level of clearance to perform their duties?

Clearances for at least one team member shall be at least equivalent to the level of data to be processed by the solution. Integrator personnel responsible for integrating, testing, maintaining and responding to security incidents shall hold clearances that enable them to receive risk assessments and adequately address vulnerabilities.

Expand List item 371Collapse List item 371  Is it necessary that integrators have a secure facility?

It is not required that an integrator have a secure facility. However, the integrator must have access to a secure facility to receive classified risk assessments and test for classified vulnerabilities, if needed. The facility clearance shall be equivalent to the level of data to be processed by the solution.

A facility clearance is usually beneficial in order to be an effective TI, but workarounds are possible. During the registration process, a potential TI should enter into discussions with the CSfC PMO to discuss potential workarounds or other situations that would mitigate the need for a facility clearance.

Expand List item 372Collapse List item 372  If all criteria are met, how long does the process typically take between Trusted Integrator application submission, the follow-up meeting, and establishment of a Memorandum of Agreement (MOA)?

The process usually takes approximately one month from receipt of application to signed MOA.

Expand List item 373Collapse List item 373  Is it required that a Trusted Integrator (TI) hold a certification for one of the standards listed in Section 1.1 of the Criteria for CSfC Solution Integrators guidance or can the organization show compliance with one of the standards without having the certification?

Trusted Integrators are expected to satisfy all identifying criteria. Any questions concerning a specific requirement should be directed to the CSfC PMO at: csfc_integrators@nsa.gov.

Expand List item 374Collapse List item 374  Is prior CSfC work experience a requirement to become a Trusted Integrator?

Prior CSfC work experience is not required, however any relevant experience/expertise in the requested areas should be noted on the TI application.


Web Presence FAQs

Collapse All Expand All
Expand List item 375Collapse List item 375  Where can the latest news and updates on CSfC be found?

The CSfC webpage contains current program information:

Expand List item 376Collapse List item 376  Where are the classified CSfC CP risk assessments located?

Classified assessments are only available on classified systems, thus only authorized users with the appropriate access will be able to access them. Specifically:

  • SIPRNet: https://intelshare.intelink.sgov.gov/sites/csfc

  • JWICS: https://csfc.sp.web.nsa.ic.gov/Pages/index.aspx

Points of Contact

Collapse All Expand All
Expand List item 377Collapse List item 377  What is the best way to contact Commercial Solutions for Classified (CSfC) PMO for general inquiries?

All inquiries and questions can be sent to the CSfC team via an email at: csfc@nsa.gov.

Expand List item 378Collapse List item 378  Who is the contact for Commercial Solutions for Classified (CSfC) PMO for DoD or US Government customer inquiries?

All inquiries and questions can be sent to csfc@nsa.gov

Expand List item 379Collapse List item 379  What is the best way to contact NSA?

The best way to contact NSA is:

  • Phone: (301) 688-6524

The mailing address for the National Security Agency is:

  • 9800 Savage Rd, Suite 6272, Ft. George G. Meade, MD 20755

Expand List item 380Collapse List item 380  Who is the contact for US Government/IC Client Inquiries?

US Government and/or IC Client inquiries can be directed to:

  • Phone: (410) 854-4790, or

  • Email: iad_ccc@nsa.gov

Expand List item 381Collapse List item 381  Who is the contact for industry inquiries?

Industry inquiries can be directed to:

  • Phone: (410) 854-6091, or

  • Email: BAO@nsa.gov

Expand List item 382Collapse List item 382  Who is the contact for Department of Defense (DoD)/US Government Client Inquiries?

DoD/US Government Client inquiries can be directed to:

Expand List item 383Collapse List item 383  Where can more information about National Information Assurance Partnership (NIAP) Protection Profiles be found?

For further questions about Protection Profiles contact NIAP:

  • Phone: (410) 854-4458

  • Email: niap@niap-ccevs.org

  • Fax: (410) 854-6615