Keeping Up To Date With CSfC Capability Packages

Military Embedded Systems

Published in Military Embedded Systems

Since its introduction in 2014, the National Security Agency Commercial Solutions for Classified (CSfC) program has proven very effective in lowering the cost and speeding the accessibility of encryption for critical data-at-rest (DAR). Compared to the time and expense associated with acquiring certification and approval for Type 1 encryption solutions, CSfC has provided a breakthrough for defense and aerospace system integrators by establishing an approved means for using commercial encryption to protect critical data. What makes CSfC innovative is that it provided, for the first time, an authorized process for employing two layers of commercial off-the-shelf (COTS) encryption. These could be two layers of hardware, two layers of software, or a mix of hardware and software.

The very problem that CSfC addresses, the constant and ever-evolving threat of cyberattacks, has led to a regular update for the directives – called a Capability Package (CP) – on how to best implement CSfC. The CPs, published by the NSA Capabilities Directorate, provide the architectures and configuration requirements that enable customers to implement secure solutions using independent, layered COTS products. While the DAR CP is primarily a guideline for solution users and integrators, it also provides a set of guidelines for COTS vendors and system developers.

CPs are product-neutral and describe system-level solution frameworks, document-ing security and configuration requirements for customers and/or integrators. The most recent CSfC CP for data-at-rest, the CSfC Data-at-Rest Capability Package 4.8 (CSfC DAR CP 4.8), was published in October 2019. The next major release, CSfC DAR CP 5.0, would likely have been released early in 2020, if not for delays caused by COVID-19, but it is expected to become available relatively soon.

Read the full article.