Keeping up to date with CSfC capability packages
StorySeptember 09, 2020
Since its introduction in 2014, the National Security Agency Commercial Solutions for Classified (CSfC) program has proven very effective in lowering the cost and speeding the accessibility of encryption for critical data-at-rest (DAR). Compared to the time and expense associated with acquiring certification and approval for Type 1 encryption solutions, CSfC has provided a breakthrough for defense and aerospace system integrators by establishing an approved means for using commercial encryption to protect critical data. What makes CSfC innovative is that it provided, for the first time, an authorized process for employing two layers of commercial off-the-shelf (COTS) encryption. These could be two layers of hardware, two layers of software, or a mix of hardware and software.
The very problem that CSfC addresses, the constant and ever-evolving threat of cyberattacks, has led to a regular update for the directives – called a Capability Package (CP) – on how to best implement CSfC. The CPs, published by the NSA Capabilities Directorate, provide the architectures and configuration requirements that enable customers to implement secure solutions using independent, layered COTS products. While the DAR CP is primarily a guideline for solution users and integrators, it also provides a set of guidelines for COTS vendors and system developers.
CPs are product-neutral and describe system-level solution frameworks, document-ing security and configuration requirements for customers and/or integrators. The most recent CSfC CP for data-at-rest, the CSfC Data-at-Rest Capability Package 4.8 (CSfC DAR CP 4.8), was published in October 2019. The next major release, CSfC DAR CP 5.0, would likely have been released early in 2020, if not for delays caused by COVID-19, but it is expected to become available relatively soon.
As CSfC is a relatively new program, the CPs enable updates that reflect lessons learned, new application cases, and technological evolution. Because the CSfC DAR CP is a living document that reflects the protean nature of cyberthreats, it’s imperative that systems integrators stay up to date on the latest editions of the directive in order to eliminate risk to their programs. Keeping abreast of the latest CSfC DAR CP helps to ensure that when a proposed CSfC solution is submitted to the Authorizing Official for approval, the solution is likely to be accepted, eliminating additional scheduling and cost burdens.
One of the most important new additions in CSfC DAR CP 4.8 is the Unattended Operations (UO) Use Case, which covers the management of unattended or remote managed DAR solutions and systems. “Unattended” implies “unmanned” or simply no person in the actual vehicle. Examples of unattended/unmanned vehicles or applications include:
- Unmanned aerial vehicles (UAVs)
- Unmanned underwater vehicles (UUVs)
- Unmanned surface vehicles (USVs)
- Unmanned ground vehicles (UGVs)
- Unmanned ISR [intelligence, surveillance, and reconnaissance] or radar site
- Unmanned EW [electronic warfare] monitoring station
As the use of unmanned applications has greatly increased, the importance of protecting critical data has become all the more important. For that reason, guidance for the UO use case was long suggested and desired, and its debut in CP 4.8 was a very welcome enhancement. A use case for Enterprise Management (EM) was also added in CP 4.8, but for defense deployed-ystem integrators, the corporate enterprise environment is less germane.
The individual layers in a CSfC solution are called components; commercial vendors develop products that are considered components in the CSfC program. Those products are put together and tested by trusted integrators to produce a solution. The guidance provided in DAR CP 4.8 helps integrators develop CSfC solutions for unattended operations. It also provides guidance to component developers for enhancing existing components or develop new ones. A CSfC solution can only be developed with components that are either in, or have completed, the CSfC approval process.
Each of the layers (HWFDE and SWFDE) in the Curtiss-Wright Data Transport System (DTS1) COTS network attached storage (NAS) device appear on the CSfC Components List. The unit (Figure 1) has been tested and validated to operate in the extended -45 ºC to +85 ºC operating temperature range – per MIL-STD-810G methods and procedures – which enables its use in very harsh deployed military environments, including high-altitude, long-endurance (HALE) UAS platforms that must operate as high as 40,000 feet (7.5 miles).
Steven Petric is senior product manager, data storage, in the Defense Solutions Division at Curtiss-Wright.
Curtiss-Wright Defense Solutions www.curtisswrightds.com