Leveraging Secure Commercial Routing Technology to Protect Data-in-motion
August 04, 2020 | BY: Mike Southworth
Published in Military Embedded Systems
Specifically, the NSA’s Information Assurance Directorate (IAD)’s Commercial Solutions for Classified (CSfC) program enables cost-effective commercial products to be used in layered solutions to protect National Security System (NSS) data classified as secret. This approach makes it far less burdensome to secure embedded network communications onboard an aircraft, vessel, or ground vehicle, since integrators can use a layered commercial solution based on public cryptography and secure protocol standards (as opposed to considering NSA Type 1 devices only).
In the last few years, the NSA replaced the Suite B algorithms – in use since 2005 for protecting classified and unclassified NSS – with new algorithms included in the Commercial National Security Algorithm Suite (CNSA Suite) as part of its plans for transitioning users to quantum-resistant algorithms.
CSfC requires the use of two encryption layers, which can be both hardware, both software, or a mix of the two. System integrators can select approved commercial components from the NSA Central Security Service (CSS) Components List (http://www.nsa.gov/resources/everyone/csfc/components-list/), which shows approved cybersecurity solutions, enabling system designers to speed their system development.
Originally, CSfC’s Manufacturer Diversity Requirements insisted system integrators select each of the two encryption layers from two separate vendors. That rule has been updated and now permits “single-manufacturer implementations of both layers,” under specified conditions when manufacturers can prove sufficient independence in the code base and cryptographic implementations of the products used to implement each layer.
To date, Cisco is the only supplier with data-in-motion products on the CSfC-approved components list that can be used to implement both the first and second layer of encryption to satisfy CSfC requirements. Pairing a secure Cisco router and Cisco firewall, each leveraging diverse code bases, can satisfy the requirement for two layers of security.