Welcome to the National Security Agency - NSA/CSS

Background

U.S. Government customers increasingly require immediate use of the market's most modern commercial hardware and software technologies within National Security Systems (NSS) in order to achieve mission objectives. Consequently, the National Security Agency/Central Security Service's (NSA/CSS) Information Assurance Directorate (IAD) is developing new ways to leverage emerging technologies to deliver more timely IA solutions for rapidly evolving customer requirements.

NSA/CSS's Commercial Solutions for Classified (CSfC) Program has been established to enable commercial products to be used in layered solutions protecting classified NSS data. This will provide the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not years.

Click to view Commercial Solutions for Classified Brochure (PDF)

What is the Process to get a Commercial Product CSfC-Listed?

Vendors who wish to have their products eligible as CSfC components of a composed, layered IA solution must build their products in accordance with the applicable U.S. Government Protection Profile(s) and submit their products using the Common Criteria Process.

NSA/CSS enters into an agreement with the vendor which may stipulate other requirements for the particular technology. Once the product has met these requirements, NSA/CSS will add it to the list of commercial products available for use in the CSfC program.

Interested vendors must complete and submit the CSfC Questionnaire (PDF) for each product.

What Protection Profiles are Published and in Development?

For a current listing of NIAP approved U.S. Government Protection Profiles, go to http://www.niap-ccevs.org/pp/.

For a listing of U.S. Government Protection Profiles currently in development, go to http://www.niap-ccevs.org/pp/draft_pps/.

Additional information about NIAP and the Common Criteria Evaluation and Validation Scheme can be found at http://www.niap-ccevs.org/.

What is a Capability Package?

NSA/CSS is developing sets of Capability Packages in order to provide our customers with ready access to the information needed to satisfy their operational requirements. Capability Packages contain product-neutral information that will allow customers/integrators to successfully implement their own solutions. Using the information in the Capability Package, customers/integrators make product selections while following the guidelines/restrictions to create an architecture with specific commercial products configured in a particular manner.

CSfC Capability Packages will provide sufficient guidance for accreditors to make informed decisions on whether solutions meet their mission and security requirements.

How can Customers/Integrators Implement a CSfC Capability Package?

For information or assistance in determining whether an approved Capability Package satisfies their requirements, U.S. Government customers (e.g., Department of Defense Components, Intelligence Community Organizations, and Federal Agencies) can engage NSA/CSS through their designated IAD Customer Advocates.

Integrators should coordinate through their U.S. Government customer points of contact.

The Future

Although NSA/CSS's strategy for protecting classified information continues to employ both commercially-based and traditional Government-Off-The-Shelf (GOTS) IA solutions, IAD will look first to commercial technology and commercial solutions in helping customers meet their needs for protecting classified information while continuing to support customers with existing GOTS IA solutions or needs that can only be met via GOTS.

Updates will be posted to this site as the Commercial Solutions for Classified program continues to progress.

Frequently Asked Questions

Click here to download the Non-Technical Frequently Asked Questions

Click here to download the Technical Frequently Asked Questions

CSfC Customer Handbook

Click here to download the Customer Handbook.  This will serve as a guide for CSfC customers on how to use the Capability Packages, CSfC Component Listing, Registration, and Lifecycle Support resources. 

General Questions

For general queries about the Commercial Solutions for Classified Program, email CSfC at csfc@nsa.gov.

Capability Packages

Campus WLAN Capability Package

The first Campus Wi-Fi Capability Package document to be released is the initial draft release of the Campus Wi-Fi Capability architecture for securing data in transit between mobile users to the Government enterprise. It is intended to be a living reference that will be updated to keep pace with technology and policies as they change over time, as additional security products and services are developed, and as lessons learned from early adopters of this architecture are applied. As a first step, this version contains guidance on the required procedures and requirements for building and implementing a Campus Wi-Fi using commercial devices, including laptops.

This document is being provided to initiate discussions with our customers and industry. The Information Assurance Directorate welcomes comments, which can be sent to Wi-Fi@nsa.gov.

Click here to download the public comment release of this Capability Package: Campus Wi-Fi Capability Package (PDF)

Updates to this Capability Package will be posted to this site. Check back frequently in order to keep up with the dynamic changes.

Multi-Site Virtual Private Network (VPN) Capability Package

Version 1.0 of the Multi-Site VPN Capability Package, dated 17 August 2012, has been approved by the IAD Director. This Capability Package provides VPN architectures for securing data in transit between multiple enclaves. It is intended to be a living reference that will be reviewed twice a year to ensure that the defined architecture and other instructions still provide the required security services and robustness.

Users of this Capability Package are responsible for obtaining, under their organization's established accreditation and approval processes, certification and accreditation of the user's implementation of this Capability Package. Solutions designed according to this Capability Package must be registered with NSA/IAD. Once registered, a signed IAD Approval Letter will be provided validating that the Multi-Site VPN Capability Package represents a CSFC solution approved for protecting classified information.

Click here to download the approved Multi-Site VPN Capability Package v1.0: Multi-Site Virtual Private Network Capability Package v1.0.

IAD welcomes comments on the approved Multi-Site VPN Capability Package v1.0, which can be sent to your NSA/IAD Client Advocate or the Multi-Site VPN Capability Package maintenance team at MultiSiteVPN@nsa.gov.

Updates to this Capability Package will be posted to this site. Check back frequently in order to keep up with the dynamic changes.

Mobility Capability Package

Go to NSA Mobility Program to download the Mobility Capability Package.