White Papers

What's New? Commercial Solutions for Classified Data-at-Rest Capability Package 5.0 Review

October 08, 2021 | BY: Paul Davis, Steven Petric

Download PDF

The National Security Agency/Central Security Service (NSA/CSS) is constantly developing new ways to leverage emerging technologies to deliver more timely Information Assurance (IA) solutions for rapidly evolving customer requirements. The NSA/CSS’s Commercial Solutions for Classified (CSfC) process enables commercial products to protect classified NSS information. CSfC solutions must be layered, consisting of two individual encryption layers called components. Commercial vendors develop components, put together and tested by trusted integrators, to produce a CSfC solution.

The CSfC Program within the NSA Capabilities Directorate publishes Capability Packages (CP) to provide architectures and configuration requirements that empower IA customers to implement secure solutions using independent, layered, commercial off-the-shelf (COTS) products. The CPs are product-neutral and describe system-level solution frameworks, documenting security and configuration requirements for customers and integrators.

The CSfC Data-at-Rest (DAR) CP has evolved over the last six years. Starting with the initial draft version 0.8 in July 2014, the DAR CP has matured and changed as expected with the ever-increasing CSfC-based storage applications in the field. The most recent incarnation of the DAR CP is version 5.0.

The DAR CP (and any other CP) is a public document produced by NSA to describe system-level solution frameworks, documenting security and configuration requirements for customers and integrators.

The DAR CP is focused on implementing cryptography to mitigate the risk to classified data from unauthenticated access when the device is powered off or unauthenticated. The DAR CP is intended to address DAR requirements and is designed to help those working to implement a solution to protect classified DAR. The CP provides guidance when combining two components from the NSA CSfC Components List to create a solution.

While a guideline primarily for solution users and integrators, the DAR CP also provides a set of guidelines for COTS vendors and developers. Vendors like Curtiss-Wright have used the DAR CP guidelines to develop COTS CSfC products. Since COTS vendors are encouraged to design new, innovative components that can be proposed in CSfC solutions, it only makes sense that those COTS vendors make sure that their components can be approved for use in a CSfC solution.

As noted earlier, a CSfC solution must include two layers of independent encryption components. Knowing that the solution integrators and users must get approval from NSA for their solution, responsible component vendors design to those guidelines so that solution integrators will be successful. After all, the COTS component vendors want to sell products successfully to the broadest market possible. Knowing that the component will meet the DAR CP guidelines reduces program and schedule risk for integrators (and their customers).

This paper will review the most recent changes from CP 4.0 to 5.0. Particular emphasis will be given to the more significant new topics: Unattended Operation Use Case and a hardware full-disk encryption (HWFDE) + HWFDE solution.

Read the full white paper.


Related Content

Author’s Biography

Paul Davis

Director, Product Management - Data Solutions

Paul Davis began his career for Curtiss-Wright as a Research Manager for the Dayton, OH facility in 1997. Paul has held positions including: Director of Engineering managing a staff of 40+ engineers, managers, technicians, and co-op students; Product Manager for the switches, recorders, and various board level products; and then Director of Product Management. Now retired, Paul worked in engineering and engineering management positions for 19 years.

Steven Petric

Author’s Biography

Steven Petric

Senior Product Manager, Data Storage

The Product Manager for our data storage solutions, Steven is a data driven product management professional with over 20 years of experience in bringing new offerings to market and improving existing offerings. He has a Masters in Business along with Pragmatic Marketing Certification and is a Project Management Professional (PMP).

Share This Article

  • Share on Linkedin
  • Share on Twitter
  • Share on Facebook
  • Share on Google+
Connect With Curtiss-Wright Connect With Curtiss-Wright Connect With Curtiss-Wright


Contact our sales team today to learn more about our products and services.





Our support team can help answer your questions - contact us today.