Welcome to the National Security Agency - NSA/CSS

Background

U.S. Government customers increasingly require immediate use of the market's most modern commercial hardware and software technologies within National Security Systems (NSS) in order to achieve mission objectives. Consequently, the National Security Agency/Central Security Service's (NSA/CSS) Information Assurance Directorate (IAD) is developing new ways to leverage emerging technologies to deliver more timely IA solutions for rapidly evolving customer requirements.

NSA/CSS's Commercial Solutions for Classified (CSfC) Program has been established to enable commercial products to be used in layered solutions protecting classified NSS data. This will provide the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not years.

Click to view Commercial Solutions for Classified Brochure (PDF)

What is the Process to get a Commercial Product CSfC-Listed?

Vendors who wish to have their products eligible as CSfC components of a composed, layered IA solution must build their products in accordance with the applicable U.S. Government Protection Profile(s) and submit their products using the Common Criteria Process.

NSA/CSS enters into an agreement with the vendor which may stipulate other requirements for the particular technology. Once the product has met these requirements, NSA/CSS will add it to the list of commercial products available for use in the CSfC program.

Interested vendors must complete and submit the CSfC Questionnaire (PDF) for each product.

What Protection Profiles are Published and in Development?

For a current listing of NIAP approved U.S. Government Protection Profiles, go to http://www.niap-ccevs.org/pp/.

For a listing of U.S. Government Protection Profiles currently in development, go to http://www.niap-ccevs.org/pp/draft_pps/.

Additional information about NIAP and the Common Criteria Evaluation and Validation Scheme can be found at http://www.niap-ccevs.org/.

What is a Capability Package?

NSA/CSS is developing sets of Capability Packages in order to provide our customers with ready access to the information needed to satisfy their operational requirements. Capability Packages contain product-neutral information that will allow customers/integrators to successfully implement their own solutions. Using the information in the Capability Package, customers/integrators make product selections while following the guidelines/restrictions to create an architecture with specific commercial products configured in a particular manner.

Capability Packages identify the critical architectural components and provide descriptions of the role each component plays in protecting the data. They will also include: a list of approved CSfC products, guidance for customers/integrators, administrators, testers, and accreditors.

How can Customers/Integrators Implement a CSfC Capability Package?

For information or assistance in determining whether an approved Capability Package satisfies their requirements, U.S. Government customers (e.g., Department of Defense Components, Intelligence Community Organizations, and Federal Agencies) can engage NSA/CSS through their designated IAD Customer Advocates.

Integrators should coordinate through their U.S. Government customer points of contact.

The Future

Although NSA/CSS's strategy for protecting classified information continues to employ both commercially-based and traditional Government-Off-The-Shelf (GOTS) IA solutions, IAD will look first to commercial technology and commercial solutions in helping customers meet their needs for protecting classified information while continuing to support customers with existing GOTS IA solutions or needs that can only be met via GOTS.

Updates will be posted to this site as the Commercial Solutions for Classified program continues to progress.

Frequently Asked Questions

Click here to download the Non-Technical Frequently Asked Questions

Click here to download the Technical Frequently Asked Questions

General Questions

For general queries about the Commercial Solutions for Classified Program, email CSfC at csfc@nsa.gov.

Capability Packages

Multi-Site Virtual Private Network (VPN) Capability Package

The first Virtual Private Network (VPN) Capability Package document to be released is the initial draft release of the Multi-Site VPN architecture for securing data in transit between multiple enclaves. It is intended to be a living reference that will be updated to keep pace with technology and policies as they change over time, as additional security products and services are developed, and as lessons learned from early adopters of this architecture are applied. As a first step, this version contains guidance on the required procedures and requirements for building and implementing a Multi-Site VPN using commercial VPN devices.

This document is being provided to initiate discussions with our customers and industry. The Information Assurance Directorate welcomes comments, which can be sent to MultiSiteVPN@nsa.gov.

Click here to download the public comment release of this Capability Package: Multi-Site Virtual Private Network Capability Package (PDF)

Updates to this Capability Package will be posted to this site. Check back frequently in order to keep up with the dynamic changes.

Secure VoIP Mobility Ver 1.1 Capability Package

This Capability Package defines the first phase of the Enterprise Mobility Architecture and focuses on the architectural components of providing a Secure VoIP capability using commercial grade products. Future releases will build on this architecture and will include mobile device management and data applications; and ultimately integrate the Wi-Fi service with an expanded list of end devices.

Go to NSA Mobility Program to download this Capability Package.