Post on 03-Jan-2017
CONFIDENCE IN CYBERSPACE
Commercial Solutions
for Classified (CSfC)
Strategic Initiative
CSfC requirements are specified in Capability Packages (CPs) at the
system level and in Protection Profiles (PPs) at the component level;
use COTS components to meet requirements
CSfC
ASSURANCES BENEFITS
2
Layering commercial technologies to protect
National Security Systems and information
Layered solutions; diversity in components
Component selection
Security testing of Capability Packages
Classified Risk Assessment
Independent Senior Review of CPs
Improved access to information
Releasable to int’l partners
Flexibility in selecting products
Latest commercial IT technology
Flexibility/speed updating IT
USG & Industry requiring immediate use of the market’s
most modern commercial hardware and software
technologies within NSS to achieve mission objectives
Secure solution built by trusted integrators using
NSA security requirements & layering approved
components
CSfC requirements are specified
in CPs at system level and PPs
at component level
NIAP Protection Profiles &
CSfC Capability Packages
CSfC Components List
NSA’s Trusted
Integrator Process
Composed
Solution
User
Approved COTS components are
selected to meet requirements
Vets Integrators against criteria regarding their
organization & personnel
Provides the ability to securely communicate based on commercial standards
in a solution that can be fielded in months, not years
Commercial Solutions for Classified
3
Responsibilities & Risks
4
CSfC solutions follow a different risk paradigm from GOTS
NSA/IAD Customer/AO
Responsibilities • Author and maintain capability packages in accordance with official customer requirements
• Solicit community input and comments on capability packages
• Engage with commercial vendors • Engage with NIAP
• Review and validate CSfC solution body of evidence, including CSfC compliance matrix
• Record all deviations and submit for approval by NSA
• Register all CSfC solutions with the CSfC PMO
• Act on national manager notifications
Risks • Assess CP/solution risks • Publish classified risk assessment • Issue national manager notifications
• Review NSA-published risk assessments
• Consider how residual risks will affect operational application
• Accept residual risks and approve operation of CSfC solution
• No shift/conveyance of authority for approving deviations
• More transparency of risks (shared risk assessments)
• Shared analysis and acceptance of risks
Mitigating the Risks
Specification Deployment Testing &
Integration Monitoring &
Response
5
Capability Pkgs
Protection Profiles
Agreements with
Vendors
Components List
Layering
Diversity
Risk Assessments
Trusted Integrators
Customer
Registration
Owner C&A
Establish
Situational
Awareness
Component
Evaluations
System Testing
Local Monitoring
Incident Reporting
& Discovery
Vendor Mitigations
Audit/Assessment
VPN Solutions: Operational & Upcoming
2013 2014 (as of August)
VPN v2 CP
Published
Anticipated Registrations 2012
VPN CP Registrations
Before registration process
COCOM
VPN v3 CP
Published
Approved/Operational
6
COCOM
SERVICE
SERVICE
NON – DOD (R)
COCOM
NON - DOD
COCOM
COCOM
COCOM
COCOM
COCOM
COCOM
SERVICE
SERVICE
SERVICE
SERVICE
SERVICE (R)
AGENCY
NON - DOD
NON - DOD
NON - DOD
Registration Anticipated
WLAN Solutions: Operational & Upcoming
2012 2013 Anticipated Registrations 2011
WLAN v1.1
Capability
Package
published
Approved/Operational
(required NSA signature)
Upcoming
Aug 2014
7
Campus WLAN CP Registrations
Before registration process
AGENCY AGENCY
AGENCY
SERVICE
SERVICE
COCOM
COCOM
SERVICE
SERVICE
SERVICE
SERVICE
SERVICE
AGENCY
NON - DOD
NON - DOD
NON - DOD
Registration Anticipated
Mobile Solutions: Operational & Upcoming
2013 2014 Anticipated Registrations 2012
Require NSA
signature
Upcoming
Approved/Operational
Mobile
Access
Capability
Package
published
Feb 2015
8
Mobile Access CP Registrations
Before registration process
SERVICE
MULTIPLE AGENCIES
MULTIPLE AGENCIES
AGENCY
AGENCY
NON - DOD
COCOM
SERVICE
SERVICE
AGENCY
AGENCY
NON - DOD
SERVICE AGENCY
AGENCY
Registration Anticipated
In Process
• Mobile Access v1.0 (Cellular & Trusted Hotspot)
– Expected Pub: FEB15
• Data at Rest (DAR) v1.0 – Expected Pub: 1Q FY-2015 (lost laptop)
Future
• Mobile Access CP v2.0
• Multi Site Connectivity (high speed)
– Expected Pub: CY 2015
• Campus WLAN v2 (shared wireless layer) – Expected Pub: JUN 15
Capability Packages
9
Published
• Virtual Private Network (VPN) v3.0
• Campus WLAN v1.1
• Data at Rest (DAR) v0.8 (draft of v1.0)
• Mobility CP v2.3 has been changed to Mobility Security Guide
www.nsa.gov/ia/programs/csfc_program/index.shtml
• CSfC Components Lists updated ~ weekly
- Must be under contract with NIAP
- NIAP PP with CSfC selections
- MoA with NSA
Components
CSfC Components List
10
Published
• IPSec VPN Gateways – Product Series from Apriva, Aruba, Cisco, Fortress and Juniper
• WLAN Access System – Product Series from Aruba, Cisco and Fortress
• Certificate Authority – Microsoft
• IPSec VPN Client – Product Series from Aruba, Cisco, Microsoft and Samsung
• SIP Server – Cisco
• Mobile Platform – Product Series from Boeing and Samsung
• Mobile Device Management – MobileIron
• Software Full Disk Encryption – Microsoft BitLocker
• VoIP Applications – Cisco and Cellcrypt
• Traffic Filter Firewall – Product Series from Aruba, Cisco and Juniper
www.nsa.gov/ia/programs/csfc_program/index.shtml
In Progress
• IPS
• WLAN Clients
CSfC Components = in NIAP against PP w/CSfC selections, MoA with NSA
• Email Clients
• Web Browsers
Integrators Build, Test, Document, Maintain/Troubleshoot CSfC
NSA’s Trusted Integrator Process vets Integrators against criteria regarding their organization and personnel
- Robust business practices
- Access to secure facility/clearances
- Test methodologies
- Personnel certifications
- Understanding of CSfC
Memorandum of Agreement (MoA) with NSA
Criteria and Application available on CSfC website
List published on CSfC website
CSfC Trusted Integrators
11
CSfC Specifications and More…
Publish New/Updated Capability Packages
- Multi Site Connectivity (High speed)
- WLAN v2 (shared WPA2)
- Data at Rest - Mobile Access
Update CSfC Components List Update Trusted Integrator List on www.nsa.gov
CSfC Way Ahead
12
CSfC Registration Process
CP Publication IAD Publishes CP
1
Registration Acknowledgement
Administrative Acknowledgement of
Customer Registration
AO Authorization AO Grants Authority
to Operate
5
CP Execution Customer Implements Solution Based on CP
Requirements
2
Solution Testing Customer Conducts Site
Based Testing on Solution
3
CP Registration Customer Registers with IAD to use CP
6
4
13
CSfC For maximum benefit… Authorizing Officials: Confirm compliance with Capability Package
- Use compliance matrices for body of evidence Accept residual risks related to fielding CSfC solutions
Ensure solutions are registered with the CSfC PMO
Acquisition/Procurement – for RFIs, RFPs, SOWs Require products from CSfC Components List
- In accordance with CNSSP 11
Recommend CSfC Trusted Integrators
For Up-to-Date Information:
www.nsa.gov/ia/programs/csfc_program/index.shtml Sign-up to receive CSfC updates: csfc@nsa.gov
CSfC Takeaways
14
BACKUP SLIDES
15
Commercial Solutions for Classified
National Manager-approved CSfC
solutions are specified in
Capability Packages (CP)
–Initial CSfC Components List published on
nsa.gov
–Components used in CSfC solutions
are validated against NIAP Protection
Profile requirements
Now applying IAD-approved layered
commercial solutions to protect classified
information
ADOPTION
users
UP
~2X
2013 2014
UP
~3X
2013 2014
NIAP Protection Profile
Evaluations:
– Typically completed within 90 days
– (4-6x faster than EAL-based NIAP evals)
– NIAP Product Compliance List (PCL) grew
10x since Dec 2013. (2 product lines to 21)
– DoD and IC acquisitions increasingly comply
with CNSSP-11
CSFC REGISTRATIONS # of CSfC registrations in
1QCY14 exceeded CY13 total.
CSFC MOAS SIGNED 9 new CSfC MoA’s signed with
Component vendors in 2QCY14
16