Commercial Solutions for Classified (CSfC) for Data at Rest (DAR) is the National Security Agency’s (NSA) data strategy for government clients within the National Security System. It relies on commercially available technology to protect classified stored data in the cloud, on hard drives, and USB sticks.

If your work involves cybersecurity at the NSA or clients within the Department of Defense (DoD), the Intelligence Community (IC), Military Services, and other federal agencies, you will need to be familiar with this strategy and its uses. 

Why is protecting Data-at-Rest (DAR) in CSfC so important?

Data, much of it classified, is a vital component in most missions and operations today. Keeping it secure from being detected, read, stolen, locked up, sold, used, or corrupted, is essential. Yet protecting stored data is growing more challenging.  Technology for capturing, storing, and transmitting data is increasingly mobile and on the edge. There it is at greater risk of unauthorized access and misuse. With the increased adoption of Internet of Things (IoT) strategic devices, more data is being placed in greater danger. 

Overview of the CSfC data security program

The NSA recognized the growing DAR vulnerability, so it started the CSfC for DAR program to address the issue. The idea of using commercial off-the-shelf (COTS) products in systems to protect classified information was to fast-track the creation of security solutions that are more flexible, cost-effective, and scalable than government-developed programs. Using open and non-propriety standards encourages co-creation among the best innovators in business, government, and R&D organizations. Driven by market demands, commercial solutions evolve faster and make use of the latest technology in data security for a competitive advantage, creating often-superior solutions that government developers cannot match.

Understanding CSfC program stakeholders

The CSFC program is a community of participants, each contributing to its successful development and use. The key stakeholders include:

• Administrator: The NSA oversees the program, providing guidance, establishing frameworks for protecting data, certifying products, engaging the various stakeholders, providing oversight, monitoring compliance, tracking incidents, and providing training.
• Clients: Federal agencies that produce and use classified data, including intelligence agencies, the DoD and DHS, are examples of clients that need security solutions.
• Commercial Vendors: These are companies that develop, integrate, maintain and service the commercial technologies and components used in the program.
• Users: Operators in the field, government employees and contractors that capture, store, transmit and use sensitive data, and the people who actually engage with the CSfC for DAR security solutions. 
• Systems Integrators and IT Teams: These teams of experts design and implement CSfC solutions, deploy them, and then monitor their use, ensuring they stay compliant. 
• Auditors and Inspectors: These officials assess and audit CSfC solutions to ensure they proper implementation and use—and that they adhere to security standards. When an incident arises, they play a key role in discovering what happened and driving continuous improvement. 
• R&D Institutions: While commercial developers produce significant innovation, academic and research institutions, along with innovation labs, are a rich source of new methodologies and technologies. 

Role of trusted integrators in the CSfC community

The NSA carefully investigates commercial vendors to ensure that they meet stringent security standards and that they have exceptional technical capabilities. Companies selected to  participate in the various technical communities within the program must also have superior project management leadership. Those that make it through the rigorous vetting process can then contribute to the design, implementation, and management of CSfC data security solutions.

Advantages of capability packages in the CSfC program

As the program evolved, integrators developed a structured approach to integrating commercial solutions into security applications. The advantages of creating CSfC capability packages for client agencies include:

• Using best practices and predefined architectures, packages offer consistency and standardization
• Straightforward and streamlined implementation using pre-approved components with clear and detailed instructions for design and implementation
• Faster development time for schedule and cost efficiencies
• Because components have already gone through a stringent evaluation ad testing process and they can be deployed in multi-layered approach, enhancing security
• Applications that are more flexible to adapt to specific operations and and environments and that can quickly scale
• Documentation, auditing, and certification for less burdensome compliance 
• The resulting packages are easier to support, maintain and upgrade

A critical component integrated in many CSfC capability packages are the various types of access control mechanisms that ensure only authorized people can access DAR on a device. They are part of the mechanisms protecting data at rest on mission-critical systems.

Approved technologies for data-at-rest encryption

The Federal Information Processing Standard (FIPS) 140-2 details data security requirements for encryption and decryption. It covers cryptographic key management, physical security, authentication, and self-testing. 

NSA Guidelines for Encryption include the following approved algorithms:

• AES (Advanced Encryption Standard) supports key lengths of 128, 192, and 256 bits, with AES-256 recommended for top-secret data.
• SHA (Secure Hash Algorithm) ensures data integrity and authenticity.
• ECC (Elliptic Curve Cryptography) is endorsed for digital signatures and public-key encryption
• RSA (Rivest-Shamir-Adleman) has been largely replaced by ECC, but is still approved with a minimum key size of 2048 bits.

Cryptographic independence

Data security for data at rest relies on separate cryptographic keys and algorithms architected in multiple layers of security. If one cryptographic element is compromised, it doesn’t endanger all the other elements. To further protect against compromise, cryptographic operations are often isolated in separate hardware security modules. 

Importance of audits and reporting for data security

Making a comprehensive assessment of your cybersecurity systems and data security for data at rest is how you can identify threats, vulnerabilities and measures in place to mitigate exploits. While audits are a useful internal tool, they are a requirement of all cybersecurity frameworks.

They are an integral part of risk management planning and operations, ideally fueling a culture of continuous improvement.

Implementing CSfC for DAR solutions effectively

You will want to take a series of deliberate steps in structuring, implementing, running, maintaining, and improving a CSfC for DAR solution:

1. Select a CSFC-registered integrator with demonstrated knowledge of NSA requirements and expertise in the latest DAR data security technologies
2. Define your objectives and success metrics and then move on to planning and preparation
3. Work with your integrator to design your DAR solution and select your components
4. Integrate, configure components, run tests, and produce documentation
5. Submit for approval as part of the NSA review process for CSfC registration
6. Deploy and monitor, 
7. Maintenance and updates include regular audits and engaging in continuous improvement initiatives as a core part of the program

Conclusion and future outlook

The future of CSFC for DAR will be driven by advancing technologies, increasing demand for flexibility in new applications and environments, and the need to deal with the mounting complexity of cybersecurity threats. You will want to work with an integrator who is leading in the fields of enhanced and post-quantum cryptography, emerging edge applications, automated, modular, and customizable cybersecurity solutions that scale, while still providing exceptional usability.