An NSA Type 1 encryption product is a device or system certified by the National Security Agency (NSA) for use in cryptographically securing classified United States Government (USG) information, when appropriately keyed. The USG classified data may range from Confidential to Secret to Top Secret.
The term “Type 1” refers only to products and not to information, keys, services, or controls. Type 1 products contain NSA-approved algorithms. Two families of algorithms are used: one classified and one public.
What Are NSA Type 1 Devices?
NSA Type 1 devices are available to USG users, their contractors, and federally sponsored non-U.S. Government activities subject to export restrictions in accordance with International Traffic in Arms Regulation (ITAR). As cryptographic security devices, Type 1 encryptors are communications security (COMSEC) equipment. For effective COMSEC, sound cryptographic systems must be combined with transmission security, physical security, and emission security.
For decades, Type 1 was the only NSA cybersecurity designation regarding encryption. However, there is now an alternative in the NSA’s commercial encryption program: Commercial Solutions for Classified (CSfC). Each program has advantages and disadvantages, but both are fully supported NSA programs. This white paper offers a comparison of CSfC and Type 1.
The NSA spends many millions of dollars every year to develop Type 1 equipment. These Type 1 devices are not publicly known or available for general use. Many Type 1 data at rest products are developed by commercial companies (like L3Harris, General Dynamics, and ViaSat) and are generally publicly known and advertised. In both development processes, very strict requirements are applied, and these requirements are classified. For a new NSA Type 1 device to be developed, normally the sponsorship by a significant program of record is essential for both funding and eliciting NSA support.
The use of Type 1 devices is also controlled by very strict requirements. Type 1 devices may be considered classified themselves and thus may require special handling, including transporting, securing, and storing. Serious consequences may apply for loss of a Type 1 device.
NSA Type 1 Layers
As opposed to CSfC solutions, which require two layers of encryption, NSA Type 1 encryption solutions require only one layer of encryption, as shown in Figure 1. This can prove advantageous when developing a data at rest solution for a deployed vehicle since less equipment may be required.
Figure 1 NSA Type 1 encryption, unlike CSfC, only requires one layer of encryption
Consideration Factors for a Type 1 Data at Rest Application
When evaluating or considering NSA Type 1 devices, many factors may be used. For each application, the importance of each factor will vary, and some factors important to a unique application may not even be listed below. However, this list is a great foundation for any evaluation of potential DAR solutions.
One important note to keep in mind is that a Type 1 encryptor by itself does not make a complete data at rest solution. A deployable data at rest solution, like the Unattended Network Storage (UNS), is composed of three basic components: a chassis, removable storage, and one or more encryptors. The chassis will include a processor, operating system, application software, and inputs/outputs (I/O). The removable storage will include one or multiple solid-state drives and structures to support and transport it.
Keep in mind that the DAR encryptors noted earlier are only encryptors, not file servers or solid-state storage. These encryptors are not complete solutions by themselves; to use them in deployed storage applications, each encryptor must be integrated into a network attached storage (NAS) system or device. The (UNS) incorporates two Type 1 data at rest encryptors. Used by USG entities today, this example NAS also includes a high-speed processor, operating system, application software, I/O, and removable solid-state storage.
Continue reading to learn about Type 1 levels, Type 1 encryption algorithms, and consideration factors for a Type 1 data at rest application.