Commercial Solutions for Classified (CSfC) for Data at Rest (DAR) is the National Security Agency’s (NSA) data strategy for government clients within the National Security System. It relies on commercially available technology to protect classified stored data in the cloud, hard drives, and USB sticks.
If your work involves cybersecurity at the NSA or clients within the Department of Defense (DoD), the Intelligence Community (IC), Military Services, and other federal agencies, you will need to be familiar with this strategy and its uses.
Data, much of it classified, is a vital component in most missions and operations today. Keeping it secure from being detected, read, stolen, locked up, sold, used, or corrupted is essential. Yet, protecting stored data is becoming more challenging. Technology for capturing, storing, and transmitting data is increasingly mobile and on the edge. There is at greater risk of unauthorized access and misuse. With the increased adoption of Internet of Things (IoT) strategic devices, more data is being placed in greater danger.
The NSA recognized the growing DAR vulnerability, so it started the CSfC for DAR program to address the issue. The idea of using commercial off-the-shelf (COTS) products in systems to protect classified information was to fast-track the creation of security solutions that are more flexible, cost-effective, and scalable than government-developed programs. Using open and non-propriety standards encourages co-creation among the best innovators in business, government, and R&D organizations. Driven by market demands, commercial solutions evolve faster and make use of the latest technology in data security for a competitive advantage, creating often-superior solutions that government developers cannot match.
The CSFC program is a community of participants, each contributing to its successful development and use. The key stakeholders include:
The NSA carefully investigates commercial vendors to ensure that they meet stringent security standards and that they have exceptional technical capabilities. Companies selected to participate in the various technical communities within the program must also have superior project management leadership. Those that make it through the rigorous vetting process can then contribute to the design, implementation, and management of CSfC data security solutions.
As the program evolved, integrators developed a structured approach to integrating commercial solutions into security applications. The advantages of creating CSfC capability packages for client agencies include:
A critical component integrated in many CSfC capability packages are the various types of access control mechanisms that ensure only authorized people can access DAR on a device. They are part of the mechanisms protecting data at rest on mission-critical systems.
The Federal Information Processing Standard (FIPS) 140-2 details data security requirements for encryption and decryption. It covers cryptographic key management, physical security, authentication, and self-testing.
NSA Guidelines for Encryption include the following approved algorithms:
Data security for data at rest relies on separate cryptographic keys and algorithms architected in multiple layers of security. If one cryptographic element is compromised, it doesn’t endanger all the other elements. To further protect against compromise, cryptographic operations are often isolated in separate hardware security modules.
Making a comprehensive assessment of your cybersecurity systems and data security for data at rest is how you can identify threats, vulnerabilities and measures in place to mitigate exploits. While audits are a useful internal tool, they are a requirement of all cybersecurity frameworks.
They are an integral part of risk management planning and operations, ideally fueling a culture of continuous improvement.
You will want to take a series of deliberate steps in structuring, implementing, running, maintaining, and improving a CSfC for DAR solution:
The future of CSFC for DAR will be driven by advancing technologies, increasing demand for flexibility in new applications and environments, and the need to deal with the mounting complexity of cybersecurity threats. You will want to work with an integrator who is leading in the fields of enhanced and post-quantum cryptography, emerging edge applications, automated, modular, and customizable cybersecurity solutions that scale, while still providing exceptional usability.