Commercial Solutions for Classified

Commercial Solutions for Classified (CSfC) is an important part of NSA’s commercial cybersecurity strategy to deliver secure cybersecurity solutions leveraging commercial technologies and products. It is founded on the principle that properly configured, layered solutions can provide adequate protection of classified data in a variety of different applications. NSA has developed, approved, and published solution-level specifications called Capability Packages (CPs).

U.S. Government customers increasingly require immediate use of the market’s most modern commercial hardware and software technologies within National Security Systems (NSS) in order to achieve mission objectives.

The CSfC Program was established to enable commercial products to be used in layered solutions protecting classified NSS data. This will provide the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not years.

CNSS Policy No. 7 requires the use of products listed on the CSfC Components List in a CSfC solution.

Vendors who wish to have their products eligible as CSfC components of a composed, layered information assurance solution must build their products in accordance with the applicable US Government approved Protection Profile(s) and submit their products using the Common Criteria process.

The vendor will enter into a Memorandum of Agreement (MoA) with NSA. The MoA specifies that the vendor’s product must be NIAP certified and that the vendor agrees to fix vulnerabilities in a timely fashion. The MoA may also reference technology-specific selections for NIAP testing.

For some technologies, the CSfC program requires specific, selectable requirements to be included in the Common Criteria evaluation validating that the product complies with the applicable NIAP-approved protection profile(s).

Advanced Data Security would be happy to guide you through the CSfC process.