PHOENIX – To safeguard our nation’s sensitive data from our skilled adversaries, the U.S. government must keep pace with the rapid changes in information assurance, trusted-computing, and cyber security technologies. However, even with the best system architects, the most advanced security solutions, such as government off the shelf Type 1 products, have long development and certification cycles.
As a result, integrating these solutions into National Security Systems used in mission-critical operations is slow and costly.
The U.S. government works under constant budget constraints and fear of unstoppable cyber threats. Conversely, commercial companies invest heavily in research and development, producing rapid and significant innovations in areas such as data assurance.
In 2015, the National Security Agency (NSA) and the Central Security Service launched the Commercial Solutions for Classified (CSfC) program to protect classified, secret and top secret data by leveraging commercial technologies in a sophisticated layered approach.
In situations where a traditional Type 1 solution is not required, the CSfC program provides the necessary framework to implement security solutions for data at rest on an end user device, and data in transit on red, gray and black networks. By adopting these agile commercial cyber security innovations, the CSfC program saves time and money for classified programs in all branches of government -- from benign data centers to forward-deployed systems and mobile devices in harsh, insecure environments. The goal of a CSfC security solution is to ensure that no unauthorized user obtains access to sensitive data.
As part of the CSfC program, the NSA developed vendor-neutral solution-level specifications called capability packages to deliver the security architecture for Data a Rest and Data In Transit using approved CSfC components from participating technology leaders. For example, in the data at rest capability packages, data protection is accomplished by integrating an inner and outer layer of hardware and software encryption.
A hardware full-disk encryption component such as a self-encrypting solid state drive, like the Mercury’s ASURRE-Stor SSD, is the outer layer while a file encryption or software full disk encryption solution is selected as the inner layer.
These two independent components using advanced encryption standard with 256-bit keys incorporate different cryptographic algorithms. This approach eliminates the likelihood that a single vulnerability can be exploited in security layers.
Classified, secret and top-secret data can be safely stored if all of the CSfC program requirements are successfully validated per the Capabilities Packages criteria defined by the NSA, including using only hardware and software approved by the NSA that is on the NSA's CSfC component list.
Before a component can be eligible for the CSfC program, its cryptographic algorithms must pass several levels of assurance. The National Institute of Standards and Technology (NIST) in Gaithersburg, Md., oversees the Federal Information Process Standards (FIPS) certifying the proper implementation of AES 256-bit cryptographic algorithms, key management, authentication algorithms.
The National Information Assurance Partnership (NIAP) oversees evaluations of commercial Information Technology (IT) products for use in national security systems. Hardware and software products must meet the criteria established in the relevant protection profiles needed for the intended CSfC capabilities packages and pass evaluation by the Common Criteria.
The protection profile criteria is complex and the development and evaluation process lengthy and rigorous. However, this is still significantly less than qualifying a Type 1 solution, which can take more than three years and millions of dollars. It is rumored that more than 50% of companies that start down the path for Common Criteria drop out before they reach certification because of the difficultly.
While implementing a CSfC solution is easier and quicker than a government off-the-shelf solution, it can still be a daunting process. To simply the process, the NSA has established a program for trusted CSfC integrators. These companies, or more precisely their processes and people, have been approved by the NSA to architect, design, integrate, test, document, field and support solutions in accordance with the appropriate capabilities packages and additional requirements of the CSfC program.
They are responsible for testing the resulting solution, providing a body of evidence to the solution Authorizing Official/Designated Approving Authority, maintaining the solution, and serving as the first line of response in troubleshooting or responding to security incidents and reporting them to the NSA.
Using a CSfC trusted integrator removes the burden from the end-customer and component suppliers, thereby reducing risk and time to market without compromising security. The trusted integrator can also register the solution with the NSA on behalf of their customer. However, the memorandum of agreement is always between the customer and the NSA. Each CSfC solution must be reviewed and certified by the NSA for every unique end application -- even if the same hardware and software components are used and integrated the same way.
The CSfC program continues to evolve to incorporate the framework to protect new applications under cyber-attack previously only protected with Type 1 solutions such as unattended applications. While there will always be the need for Type 1 solutions, the NSA is moving towards more national security systems protected by two layers of secure commercial technologies to increase the agility and effectiveness of military and government agencies.
To learn more about CSfC and data in rest solutions, please join the CSfC ecosystem of component suppliers, trusted integrators, government agencies and customers implementing CSfC solutions at the CSfC Technology Day Forum on Thursday, October 10, 2019 in Linthicum Heights, MD.
Jennifer Keenan is senior product marketing manager for the Mercury Systems Microelectronics Secure Solutions group in Phoenix. Contact Mercury Systems online at www.mrcy.com.