Commercial Solutions for Classified (CSfC) is essential for the National Security Agency (NSA) strategy to deliver secure cybersecurity solutions. The CSfC program leverages commercial encryption technologies and products to provide much-needed cybersecurity solutions quickly. Commercial encryption technologies are employed in many technologies today, such as automobiles, mobile phones, tablets, and home security systems.

The CSfC program was established to protect classified National Security Systems (NSS) data with commercial products in layered solutions. Solutions handling Top Secret/Sensitive Compartmentalized Information (TS/SCI) have been approved by the NSA.  CSfC provides security and efficiency: security through the ability to securely communicate based on commercial standards and efficiency through an NSA-managed program that offers a solution that can be fielded in months, not years.

Regarding the question posed in the blog title, the short answer is yes. When top-secret data is transported on removable media, it is sufficiently encrypted as to be considered unclassified.  There is much more to the story, so please read on for the details.

For more details regarding the CSfC program, reference the Curtiss-Wright whitepaper Data-At-Rest Encryption Series: Commercial Solutions for Classified (CSfC). 

CSfC Solution Example

The Curtiss-Wright Data Transport System (DTS1) product shown in Figure 1 is an example of a modern CSfC solution proposed.  The DTS1 is a rugged network attached storage (NAS) system currently deployed by numerous USG entities. It provides two certified layers of commercial encryption to protect data at rest (DAR).  The outer encryption layer is hardware full disk encryption (HWFDE), and the inner layer is software full disk encryption (SWFDE).

Figure 1 - Curtiss-Wright DTS1 and Transportable Removable Memory Cartridge

After the two layers of AES256-bit encryption encrypt the data, the data is stored on a solid-state drive housed inside a specially designed removable memory cartridge (RMC).  The RMC comes in various capacities, up to 8 terabytes (TB).  The removable memory cartridge can even be removed while the DTS1 still has power applied.  This capability, known as hot-swapping, is important so that the deployed vehicle does not have to be powered down.  Before removing the removable memory cartridge, the operator opens the latched door and then presses a button on the front of the removable memory cartridge.  This button initiates a shutdown procedure stopping data flow to that removable memory cartridge so that data does not become corrupted.  When the LED indicators on the removable memory cartridge light up in a proper sequence, the removable memory cartridge is ready to be removed for transport.  A new, fresh removable memory cartridge may be inserted at that time.

Is the RMC Considered Unclassified During Transport?

This question is one of the most frequently asked.  Classified data must be safely transported to and from the deployed vehicle. The CSfC DAR Capability Package (CP) states:

In a powered-off state, the device is completely off and not in any power-saving state. The EUD is considered unclassified but must still be handled in accordance with the implementing organizations’ AO policies. This applies to all removable media when unplugged from the host system. If the RMs have their own power states, the product documentation must be consulted to determine how to independently switch the product into a powered-off state.

In the example system, both the DTS1 and the removable memory cartridge are considered End User Devices (EUD).  Regarding the removable memory cartridge, the keywording is that this unclassified state applies to all removable media when unplugged from the host system.  In the DTS1 system, the removable memory cartridge is the removable media, and the removable memory cartridge is unpowered when removed from the DTS1.  It does not have a separate, independent power source. 

Note that even during transport, the removable memory cartridge must be handled in accordance with policies set by the Authorizing Official (AO) or Designated Approving Authority (DAA).  The AO sets the appropriate policies in place for each unique application or program.  The policies set may depend on whether the deployed vehicle is attended or unattended. It may also depend on the data classification level, and other factors deemed important by the AO.

Table 1 - RMC Classification During Transport

Is the Removable Memory Cartridge Unclassified When Inserted into the DTS1?

The short answer is that it depends on certain conditions.  To help explain this, four scenarios are explored below.  In each scenario, the removable memory cartridge is inserted into the DTS1. 

Scenario 1 – DTS1 powered off

If the DTS1 is powered off entirely and not in a power-saving state, then the DTS1 is considered unclassified.  The removable memory cartridge is deemed to be unclassified as well as the DTS1 in Scenario 1.  The RMC receives its power solely from the DTS1 and has no separate power source. 

Scenario 2 – DTS1 power on, neither encryption layer authenticated

If the DTS1 is powered on and in an unauthenticated state, then the DTS1 is considered unclassified.  This state cannot be entered by logging off after the initial login.  The removable memory cartridge is deemed to be unclassified as well as the DTS1 in Scenario 2. 

Scenario 3 - DTS1 power on, outer encryption layer only authenticated

If the DTS1 is powered on with the outer layer authenticated, the DTS1 is operational where the user has authenticated to the outer layer of hardware full disk encryption (HWFDE).  The DTS1 is in a state considered classified and should be handled accordingly.  The removable memory cartridge is considered classified as well as the DTS1 in Scenario 3.     

Scenario 4 - DTS1 power on, both encryption layers authenticated

If the DTS1 is powered on with both the outer (HWFDE) and inner (SWFDE) layers authenticated, the DTS1 is operational when the user has authenticated to two layers of data at rest encryption.  The DTS1 is in a state considered classified and should be handled accordingly.  The removable memory cartridge is considered classified as well. 

Table 2 - RMC Classification When Inserted in the DTS1

Summary

For the example DTS1 system, the removable memory cartridge is considered unclassified when removed and being transported.  It is unpowered while being transported.  This fact is important for deployed vehicles where classified data must be transported to and from the vehicle, as in Figure 2.

Figure 2 - Transport of Unclassified Removable Memory Cartridge

Also, it is important to note that the removable memory cartridge has no encryption mechanisms and has no power source other than the DTS1.  The two commercial encryption layers reside in the DTS1 only.  Two separate layers of AES256-bit encryption have encrypted the data residing on the removable memory cartridge. 

If an unauthorized party or adversary obtains the RMC in an unpowered state, it is considered unclassified per the NSA definition.  The unpowered state may be in one of two conditions: (1) while the removable memory cartridge is being transported by itself or (2) while the removable memory cartridge is inside the DTS1, but the system is unpowered. 

When the removable memory cartridge is inserted into the DTS1, the classification of the removable memory cartridge depends on the power status of the DTS1 (and in turn removable memory cartridge) plus the authentication status for the outer and inner layers.  Table 3 shows the various power and authentication states and the removable memory cartridge classification status in each.

Table 3 – Summary of RMC Classification Status in the Various States