Developing CSfC secure data solutions: Waivers no longer required for storage devices
StoryMarch 13, 2024
Chris Kruell
CDSG
Military and government agency program regulations require their sensitive data at rest (DAR) to be securely encrypted and stored in a variety of applications, including in uncrewed systems, servers, and other endpoint devices. Shouldn’t we be following the rules? Rules that call for highly sensitive information to be securely encrypted and stored? Unfortunately, it has been too easy to acquire exceptions to these regulations, especially when it comes to data-storage solutions, thus putting the nation’s data at risk. The NSA CSfC [National Security Agency Commercial Solutions for Classified] program was launched in 2016 to make it easier to secure data by using certified, off-the-shelf products. With the advent of new NSA-approved off-the-shelf secure storage solutions, waivers that skirt secure storage requirements no longer need to be granted.
Data security solutions developed with the U.S. government’s National Security Agency (NSA)-approved Commercial Solutions for Classified (CSfC) are used to protect sensitive information of all kinds and are built with commercial off-the-shelf (COTS) technologies. CSfC solutions have primarily been used by the U.S. Department of Defense (DoD), the intelligence community, military services, and other government agencies, though those who are concerned about protecting confidential data should also consider implementing solutions built with CSfC-listed products and components. Occasionally and if deemed necessary, exceptions called waivers or deviations can be granted by a program authorizing official (AO), or someone who is chartered with accepting the risk of implementing a non-CSfC solution. As more products are added to the CSfC component list, waivers should not be granted as frequently as in the past.
Before CSfC: Type 1 encryption systems and GOTS products
Until the advent of the CSfC program, government program managers and others needed to procure expensive NSA Type 1 encryption solutions to protect top secret information. Government off-the-shelf (GOTS) products may sometimes meet the security standards required by a particular agency or application. GOTS products and Type 1 systems are typically for specific programs or agencies, and they contain specific NSA-approved encryption algorithms.
The usage of Type 1 systems is highly restricted. Because a Type 1 product is itself a classified system, it must be appropriately protected, and its usage properly guarded. (The NSA has also defined Type 2, Type 3, and Type 4 systems for less sensitive information.)
The usage restrictions, as well as the cost, have limited the propagation of Type 1 systems, which is problematic as the rapid creation of sensitive digital information has more than tracked with the information explosion in the civilian world.
Commercial Solutions for Classified (CSfC) unveiled
In the ever-evolving cybersecurity landscape, the NSA’s CSfC program is an innovative step forward to securely encrypt top-secret and other sensitive information. Once launched in the mid-2010s, CSfC revamped the approach to handling classified information by enabling the integration of commercial off-the-shelf (COTS) products to protect national security systems. To create a CSfC data security solution, the solution must be built using CSfC-listed components. If no such component exists, a waiver may be requested.
The CSfC framework enables government entities to access and utilize COTS products, provided they meet specific criteria outlined by the NSA. This approach is a significant step in addressing two problems: it enhances affordability and ensures a continuous influx of innovative products into classified data usage and storage. (Figure 1.)
[Figure 1 ǀ A diagram maps self-encrypting drive types, security, and cost.]
In addition to being built from commercially available components, CSfC solutions require two layers of encryption, each from a different source, whether those sources are two different vendors or two different types of encryption.
Unlike traditional approaches in which cybersecurity solutions were developed for very specific applications, often taking years to materialize, CSfC enables government agencies to harness the expertise and resources of private companies and existing products.
CSfC requirements
Stringent standards and requirements set by the NSA govern the certification process for products seeking CSfC listing. The NSA has defined several capability packages (CPs) against which products are tested. CPs exist for securing data at rest (DAR), protecting information as it traverses an untrusted network, commercial device access of secure services over a campus wireless local network, and the like. Rigorous evaluations ascertain the suitability of these products for handling sensitive information, contributing to the creation of a trusted ecosystem of solutions designed to safeguard classified DAR.
Two layers of encryption in CSfC DAR solutions
CSfC’s approach to secure storage solutions involves the implementation of layered security, combining various components such as virtual private networks (VPNs), firewalls, intrusion detection systems (IDS), and cryptographic modules. Particularly in DAR applications, the program mandates the use of two layers of encryption to fortify the protection of classified national-security systems and other sensitive data.
Capability packages calling for two layers of encryption for classified information storage are often referred to as COTS end-to-end strategies. While there are advanced off-the-shelf SSD products that provide one layer of protection, CSfC mandates the incorporation of a second layer from another source, fostering a comprehensive security posture.
NSA waivers or deviations
While CSfC has transformed the landscape of secure data solutions, waivers or deviations can be requested and approved for the use of non-CSfC products. A waiver, in this context, serves as an exemption granted by the government, allowing organizations to bypass specific CSfC requirements.
Historically, organizations could request waivers from the NSA for products not appearing on the CSfC list. This flexibility was crucial in situations where the urgency of implementing cybersecurity solutions outweighed the availability of CSfC-listed products. The increasing need for secure DAR solutions caused program managers to specify standard SSDs in computers and other devices since no SSDs in modern form factors (for example, NVMe M.2 2280 used in client devices such as laptops) existed on the CSfC Storage Component list.
However, with the recent inclusion of FIPS SSDs on the CSfC list, the need for waivers for secure SSD data storage has been eliminated.
Value of the CSfC program
- Access to affordable, secure solutions: CSfC enables government agencies to benefit from cost-effective yet secure commercial technologies.
- Enhanced flexibility: The program empowers government entities to adapt swiftly to evolving security requirements and technological advancements.
- Rapid deployment of technologies: CSfC accelerates the integration of new technologies, fostering agility and responsiveness.
- Catalyst for private-sector innovation: By encouraging collaboration with private companies, CSfC stimulates innovation and raises industry standards.
- Cutting-edge cybersecurity products: Government agencies leveraging CSfC enjoy access to the latest and most advanced cybersecurity solutions.
- Protection of national-security systems: CSfC employs cutting-edge technologies to fortify the security of national assets and classified information.
The impact
The milestone of the DIGISTOR CSfC listing for its FIPS 140-2 L2 SSDs (which also meet the international Common Criteria standards and as a result are NIAP-listed) is important since it enables off-the-shelf NVMe and SATA SSDs to be integrated into secure DAR solutions, including those used on the battlefield. In addition, the pre-boot authentication (PBA) portion of DIGISTOR Citadel C Series SSDs marks a significant milestone in the landscape of secure storage solutions. Before this inclusion, developers and implementers of similar technology had to navigate the complex process of obtaining waivers from the NSA. (Figure 2.)
[Figure 2 ǀ The DIGISTOR CSfC listing enables integration of off-the-shelf NVMe and SATA solid-state drives into secure data-at-rest solutions.]
With these drives now listed on the CSfC storage component list, the NSA has communicated its intention to discontinue issuing waivers for similar products, although this intent may not be widely known. This shift emphasizes the program’s commitment to promoting listed storage components and discouraging the use of unapproved products for classified information storage.
Navigating the future of secure storage
As CSfC continues to evolve, its impact on the realm of secure storage solutions becomes increasingly pronounced. The program’s emphasis on layered security, stringent certification processes, and collaboration with private-sector innovators positions it as a driving force in the protection of classified information. The elimination of cyber waivers for storage components underscores the program’s maturation and its pivotal role in shaping the future of secure communications within the realm of classified information. As organizations continue to navigate the complex landscape of cybersecurity, CSfC is an important sign of data security, providing a framework for the integration of cutting-edge technologies into the safeguarding of our national assets.
Marketing director Chris Kruell leads the sphere of marketing activities at CDSG, including corporate branding, corporate and marketing communications, product marketing, marketing programs, and marketing strategy. In his spare time, Chris is an alpine climbing instructor and has served as president and board member of the Mazamas, a Portland-based nonprofit organization that fosters a love of the mountains. Chris holds a BS degree from Cornell University and an MA degree from Hamline University. Readers may reach him at ckruell@cdsg.com.
CDSG https://cdsg.com/
