Safeguard critical and classified data at rest (DAR) with a  trusted Commercial Solution for Classified (CSfC) certified Hardware Full Drive Encryption (FDE) solution from Cigent. The Cigent CSfC solution enables you to address the stringent government requirements for data security on endpoint systems. Cigent Data Defense Pre-Boot Authentication software,  combined with a CSfC-certified drive, is validated to satisfy the NSA reference architecture requirements for protecting government data.   

• For members of critical infrastructure organizations, military or government agencies, and intelligence communities
• Goes well beyond the minimum required security measures of numerous government agencies 
• Delivers the highest level of data security to protect your data at rest

Key Takeaways

• Understanding and utilizing the CSfC program is essential for enhanced data security
• Cigent provides tailored CSfC-compliant solutions with additional features such as hidden encrypted partitions, dual layers of encryption, and multi-factor step-up authentication to ensure maximum protection
• Partner with Cigent today for data security solutions that meet the most stringent cybersecurity requirements

What is Commercial Solutions for Classified (CSfC)?

Commercial Solutions for Classified (CSfC) is a certification program initiated by the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST). The CSfC program enables the use of commercial products for securing classified information. Within the CSfC program, there are various Capability Packages (CPs) that outline specific requirements for different security levels and use cases. DAR, or Data at Rest, is one of the Capability Packages under CSfC. It focuses on securing classified data while it is stored or at rest on a device. CSfC DAR certification attests to specific commercial data protection and encrypted data storage products capability to secure Classified data in accordance to the strict government requirements. 

The certification of commercial off-the-shelf (COTS) solutions offers affordable access to leading-edge data security while ensuring they remain in compliance with strict compliance regulations. This approach has revolutionized the way classified data at rest is secured, enabling organizations to adopt new and cutting-edge technologies quickly for their systems to stay ahead of emerging threats and strengthen national security.

Understanding CSfC

The CSfC program was initiated to assure commercial network solutions’ suitability for building secure, encrypted networks for classified national security systems. The program enables these agencies to:

• Take advantage of the latest technological advancements
• Achieve cost savings through competitive marketplaces
• Rapidly deploy commercial products
• Adhere to open, non-proprietary standards

Government organizations such as Department of Defense (DOD) agencies, intelligence agencies, military service branches, and other federal agencies that utilize classified networks typically benefit from CSfC solutions.

The vendor-neutral strategy in CSfC guarantees the fulfillment of requirements and adherence to the CSfC certification standards through the use of open architectures. This approach not only simplifies the procurement process but also facilitates the use of commercial technologies in layered solutions to safeguard classified information.

CSfC DAR Program Overview

CSfC DAR aims to provide a framework for securely storing classified data using commercial off-the-shelf (COTS) products while meeting the stringent security requirements of government agencies and other organizations handling sensitive information.

These components include:

• Hardware Security Modules (HSM) to provide cryptographic key management and protection
• Encryption algorithms mandated for protecting data at rest
• Key Management requirements for the use of robust key management practices, often involving the secure generation, storage, distribution, and destruction of cryptographic keys
• Secure Storage mechanisms to protect encrypted data
• Secure Deletion to ensure that classified information cannot be recovered once it is no longer needed
• Secure Boot to ensure that only authorized and trusted software components are loaded during startup
• Compliance and Certification from the NSA or other relevant authorities to demonstrate compliance with CSfC DAR requirements

The National Security Agency (NSA) plays a crucial role in administering the CSfC program, developing capability packages, and facilitating the use of commercial technologies in layered solutions to protect classified information. These capability packages enable government organizations to gain access to the necessary information to fulfill their operational needs and ensure secure cybersecurity solutions by leveraging commercial technologies.

CSfC Capability Packages: Meeting Specific Security Needs

CSfC Capability Packages provide specific instructions for constructing secure architectures that meet specific security requirements utilizing components from CSfC component vendors. These packages are designed to provide guidance for developing secure solutions that are tailored to specific security requirements. CSfC Capability Packages give accreditors sufficient guidance to make informed decisions on the alignment of secure solutions with their mission and security criteria.

Government agencies can stay abreast of the latest technological advancements, reap cost savings from competitive marketplaces, and swiftly deploy commercial products while sticking to open, non-proprietary standards by using CSfC Capability Packages. This ensures that agencies can leverage the best commercial technologies available to meet their unique security needs.

Multiple Capability Packages

A variety of capability packages are available to meet different security requirements, such as the CSfC Mobile Access Capability Package (MA CP) Version 2.5 and the Data at Rest Capability Package (DAR CP).

The DAR CP is specifically intended to safeguard data at rest stored on an endpoint system such as a laptop. 

Customizing CSfC Solutions

Tailoring CSfC solutions is a crucial step towards guaranteeing an optimal fit with each organization’s unique requirements. The NSA evaluates the client’s requirements to guarantee the utilization of appropriate tools in the appropriate environment, ensuring a suitable CSfC solution is implemented.

Organizations can adjust their security solutions to fit their particular needs and reduce potential security risks by selecting flexible and scalable CSfC solutions that adhere to NSA standards.

Why Cigent for CSfC?

Cigent offers a comprehensive suite of CSfC-compliant solutions that not only meet the stringent requirements of the CSfC program but also provide organizations with a range of additional features to enhance their data security. These features include:

• Hidden encrypted partitions data
• Zero trust file and folder access 
• Dual layers of encryption
• Threat detection
• Pre-boot authentication
• True Erase™ data destruction with  verification
• An enterprise management 

Organizations can protect their critical data at rest with utmost security by forming a partnership with Cigent. Cigent’s solutions are designed to meet the demanding requirements of the CSfC program, ensuring the highest level of security and compliance for classified national security systems.

Hidden encrypted partitions - Secure Vaults

Secure Vaults provide an additional “inner” layer of security by creating a virtual partition that is hidden to users and the operating system until it is unlocked with step-up authentication using a 2nd authentication factor. Contents of the secure vault data are encrypted and not accessible while locked, even when using drive utilities or alternate operating systems. They also cannot be cloned or “wiped” by malware or drive utilities. 

Zero Trust File Access

Cigent enables an additional layer of security controls at the file and folder level. Folder and individual files can be designated for Zero Trust protections, requiring the user to use step-up authentication to access them. Cigent Data Defense also automatically applies these protections by file type and/or location. For example, Data Defense can be configured to protect all files with a .XLS extension or within the Documents folder.

Dual Layers of Encryption

Double encryption provides superior protection for sensitive information by using two encryption layers (drive layer and file/folder layer) to secure sensitive data. This security measure lessens the likelihood of configuration mistakes and provides a higher level of assurance that the data cannot be recovered.

With dual layers of encryption in place, organizations can be confident that their sensitive data is protected from unauthorized access and potential security threats.

Threat Detection

Threat detection, which enables the identification and mitigation of potential security risks, is a vital part of any organization’s security strategy. By actively monitoring for malicious cyberthreat activity across a network, threat detection enables organizations to promptly detect and respond to threats, minimizing the impact of any security incidents.

Implementing effective threat detection measures is essential for protecting classified information and ensuring the integrity of an organization’s network.

Pre-boot Authentication

Pre-boot authentication enhances security before system startup by necessitating an identifier input, such as a password or smart card, before booting the operating system. This measure ensures the security of a computer system by preventing unauthorized access to the system’s data.

By implementing pre-boot authentication, organizations can minimize the risk of data breaches and unauthorized access to sensitive data, ensuring the confidentiality of their classified information.

True Erase™ and Verification

This Cigent solution provides unique capabilities to ensure that data will truly be erased from drives so that they can be reused or disposed of. These include the following:

Cryptographic Erase (CE) – Rapidly sanitizes drives by deleting the key used to decrypt the data. The encrypted data remains present on the drive, the data cannot be decrypted making the recovery of data infeasible.

Full Block Level Erase – A more comprehensive approach to data erasure, this initiates a hardware low-level format of the media. The process performs a secure erase that destroys all data and metadata on the drive.

Complete Erasure Verification – This patented Cigent technology verifies that every block on the drive has been “wiped” after a full block erasure. The verification enables the drive to be safely repurposed or retired with assurance that all data has been completely removed.

 Enterprise Management

The Cigent Data Defense subscription includes a cloud-based or on-premises administrative console to manage endpoint deployment and security. From within the management console, administrators can manage policy for endpoint clients as well as configure integrations with the other security solutions in the security stack such as EDRs and SIEMs. 

Why Cigent to Protect your Critical DAR

Maintaining the highest level of security and compliance necessitates the protection of your critical Data at Rest (DAR). By partnering with Cigent for CSfC-certified solutions, you can ensure that your sensitive information is protected with the highest level of security available.

Cigent’s comprehensive suite of security measures provides organizations with the tools they need to safeguard their classified data and meet stringent cybersecurity requirements, giving you peace of mind that your critical DAR is well protected.

Cigent was developed by experts in advanced data recovery, storage, and cyber security who have been rooted in this work since 1987. Cigent’s modern, “next-gen” approach to data recovery and data protection safeguards your information from even the most advanced data recovery techniques like ransomware, malware, and quantum computing attacks. We adopt a proactive approach to securing your information because we were built on the notion that advanced threats always find a way in. Adding data layer security controls is the last line of defense to prevent data from being compromised.  The result is a data protection solution that is one step ahead and that takes all aspects of this threat landscape into consideration. 

Cigent and its partners also offer a significant number of effective compliance regulation solutions to ensure you remain in compliance and your top-secret data remains protected—wherever it goes. 

We don’t just know data security—we're leading the way

Frequently Asked Questions

What does CSfC mean?

CSfC stands for Commercial Solutions for Classified, an NSA program that enables commercial products to be used in layered solutions to protect classified information and streamline deployment timelines.

How do I get CSfC certified?

To get CSfC certified, developers must build their products in accordance with the applicable US Government approved or collaborative Protection Profiles, and then submit their product for evaluation according to the Common Criteria process.

Finally, they must obtain a signature from their Authorizing Official and submit their completed documentation.

How does CSfC work?

The CSfC program facilitates secure transmission of classified information using approved commercial-grade encryption solutions, offering organizations an optimal IA/cybersecurity solution tailored to their specific needs.

What is CSfC certification?

The CSfC certification program enables organizations to securely transmit classified information using commercial-grade encryption solutions, simplifying the process of secure communications while eliminating expensive and difficult-to-use classified equipment.

It is an important part of the NSA’s strategy to leverage commercial technologies and products for cybersecurity.