Commercial Solutions for Classified

An Industry Leader on the NSA Commercial Solutions for Classified Component List

Sub U Systems is a market leader in the design, development, and implementation of software and hardware-based IP networking solutions that specifically target the National Security Agency’s (NSA) Commercial Solutions for Classified (CSfC) Program. We are the only IP networking device manufacturer that produces custom, one-off, highly integrated CSfC solutions. No matter how unique your application, Sub U Systems can deliver a solution that meets your requirements.


NSA’s Commercial Solutions for Classified (CSfC) program enables the use of commercial security products in layered solutions to protect US Government and DoD classified information.

In the IP networking domain, CSfC equates to a dual IPSec or MACSec tunnel approach. Meaning, data travels through two layers of IPSec encryption (encrypted data is re-encrypted). The two VPN tunnels must be from different vendors.

The NSA has determined that double encrypting the data is cryptographically robust enough to protect classified information up to and including Top Secret.


NSA publishes an approved CSfC Components List that identifies products that you can use in CSfC solutions. Components on the list have satisfied specific requirements, including certain security certifications and validations. These certifications verify that our products are so secure that they can be used to protect classified information. SUB-U has obtained:
  • NIST FIPS 140-2 Level 2 (Certificate # 2672)
  • NIAP Common Criteria Network Device Certification
  • NIAP Common Criteria VPN Gateway Extended Package Protection Profile Certification


Leveraging CSfC solutions enable the Military and DoD to deploy cutting-edge technology from the commercial market.

  • Reduces time to build, evaluate and deploy IA solutions
  • Implements more robust and flexible routing protocols and capabilities
  • Reduces the size, weight, power, and cost of solutions by removing Type 1 COMSEC device(s)
  • Eliminates the concerns of using Type 1 COMSEC devices in “hostile” environments


The NSA develops, approves, and publishes Capability Packages (CPs), which give solution-level specifications for CSfC solutions. They are vendor- agnostic and provide high-level security and configuration guidance. CPs are reviewed by NSA semi-annually and updated to keep pace with changing technology and security policies. The current CSfC CPs are:


SUB-U has participated in the NSA CSfC program since its inception. We follow NSA’s CSfC security design principles for the layering of commercial security appliances to protect classified information. Our products focus on securing your data while it is in transit.

We pride ourselves on being the pacesetter for CSfC VPN Gateway solutions. In 2015, we developed two products containing vendor-diverse VPN Gateways in a single device, the STEW, and KG-RU. Still today, we are the only manufacturer to achieve this.

Today, we continue to leverage our design engineering experience, in-depth knowledge of NSA’s CSfC concept, Type 1 COMSEC, and information assurance to build highly integrated CSfC solutions. We are the only IP networking device manufacturer that produces custom, one-off, highly integrated CSfC solutions. No matter how unique your application, Sub U Systems can deliver a solution that meets your requirements.


  • Incorporate dual VPN Gateways into a single appliance
  • Offer Wi-Fi Client to a CSfC CL listed VPN Gateway appliance
  • Offer 3G/4G cellular radio support in a VPN Gateway appliance
  • Develop a virtual machine version of an IP Router
  • Demonstrate a dual VPN Gateway/dual virtual machine solution
  • Offer Data At Rest (DAR) security for a Router OS and critical security related configuration information (patent pending)
  • Offer a router OS that has the ability to host virtual machines (patent pending)


The STEW-R is a dual router/VPN gateway appliance that incorporates an IAS Router and a Cisco Embedded Service Router (ESR) in a single device (both of which are NSA CSfC APL listed).

  • Machined aluminum enclosure design
  • Robust power connector design (LEMO)
  • User accessible cellular SIM slots
  • Built-in (user serviceable) battery

Additionally, the STEW-R is approved for use in the DISN DECTK-GW Program for Executive Communicators.


The MICRO IP Router is an enterprise-class router in a small, rugged form factor. With CNSA IPSec VPN tunneling greater than 250 Mbps, its performance rivals that of large, rack-mount IT appliances.

The MICRO is also available in a Software Definable Network Appliance (SDN-A) variation. The SDN-A MICRO gives you the option to run third-party Router Operating Systems (Aruba, Cisco, etc.) and other virtual machines.


Our VPN Gateway Modules are board-level embeddable enterprise-class IP routers/VPN gateways/IP networking security appliances. We have developed over a dozen different variants of networking appliance modules with additional modules in development.

Current variants include:


The IP Router GRAPHITE is a 3U Open VPN VITA65 Chassis low power/high performance rugged, wide temperature range (-40C to +85C), enterprise class IP router/VPN Gateway/IDS appliance solution that offers the same level of packet processing performance as our NANO and MICRO.