Commercial Solutions For Classified
An Industry Leader on the NSA Commercial Solutions for Classified Component List
Sub U Systems is a market leader in the design, development, and implementation of software and hardware-based IP networking solutions that specifically target the National Security Agency’s (NSA) Commercial Solutions for Classified (CSfC) Program. We are the only IP networking device manufacturer that produces custom, one-off, highly integrated CSfC solutions. No matter how unique your application, Sub U Systems can deliver a solution that meets all your requirements.
What is NSA CSfC?
NSA’s Commercial Solutions for Classified (CSfC) program enables the use of commercial security products in layered solutions to protect US Government and DoD classified information.
In the IP networking domain, CSfC equates to a dual IPsec or MACsec tunnel approach. Meaning, data travels through two layers of IPsec encryption (encrypted data is re-encrypted). The two VPN tunnels must be encrypted by different vendors.
CSfC Component List
NSA publishes an approved CSfC Components List that identifies products that you can use in CSfC solutions. Components on the list have satisfied specific requirements, including certain security certifications and validations. These certifications verify that our products can be used to protect classified information. SUB-U has obtained:
NIST FIPS 140-2 Level 2 (Certificate # 2672)
NIAP Common Criteria Network Device Certification
NIAP Common Criteria VPN Gateway Extended Package Protection Profile Certification
Leveraging CSfC solutions enable the DoD and Military to deploy cutting-edge technology from the commercial market. Additional benefits include:
- Reduces time to build, evaluate and deploy IA solutions
- Implements more robust and flexible routing protocols and capabilities
- Reduces the size, weight, power, and cost of solutions by removing Type 1 COMSEC device(s)
- Eliminates the concerns of using Type 1 COMSEC devices in hostile or unsecured environments
The NSA develops, approves, and publishes Capability Packages (CPs), which give solution-level specifications for CSfC Comprised Solutions. They are vendor-agnostic and provide high-level security and configuration guidance. CPs are reviewed by NSA semi-annually and updated to keep pace with changing technology and security policies. The current CSfC CPs are:
- Mobile Access CP
- Wireless Local Area Network (WLAN) CP
- Multi-Site Connectivity CP
- Data at Rest CP
SUB-U and CSfC
SUB-U has participated in the NSA CSfC program since its inception. We follow NSA’s CSfC security design principles for the layering of commercial security appliances to protect classified information. Our products focus on securing your data while it is in transit, which are covered in the Mobile Access, WLAN, and Multi-Site CPs.
We pride ourselves on being the pacesetter for the CSfC VPN Gateway solutions. In 2015, we developed two products containing vendor-diverse VPN Gateways in a single device, the STEW, and the KG-RU. Still today, we are the only manufacturer to achieve this.
Today, we continue to leverage our design engineering experience, in-depth knowledge of NSA’s CSfC concept, Type 1 COMSEC, and information assurance, to build highly integrated CSfC Comprised Solutions. We are the only IP networking device manufacturer that produces custom, one-off, highly integrated CSfC Comprised Solutions. No matter how unique your application, Sub U Systems can deliver a solution that meets your requirements.
SUB-U CSfC Firsts
- Incorporate dual VPN Gateways into a single appliance
- Offer Wi-Fi Client to a CSfC CL listed VPN Gateway appliance
- Offer 3G/4G cellular radio support in a VPN Gateway appliance
- Develop a virtual machine version of an IP Router
- Demonstrate a dual VPN Gateway/dual virtual machine solution
- Offer Data at Rest (DAR) security for a Router OS and critical security-related configuration information (patent pending)
- Offer a Router OS that can host virtual machines (patent pending)
Campus WLAN CP Solution
The Campus Wireless LAN (WLAN) Capability Package (CP) provides secure Wi-Fi connectivity to end user devices (EUD) (e.g., commercial tablets, smartphones, and laptop computers) in an area physically protected to the highest classification level among the networks residing there.
To protect data as it travels across untrusted networks, two layers of cryptography are used, Internet Protocol Security (IPsec) and WPA2. These layers are generated by the Virtual Private Network (VPN) Client and WLAN Client running on an EUD.
A single implementation of the Campus WLAN solution provides connectivity between classified networks and EUDs within each security level while preventing classified networks and EUDs of differing security levels from communicating with each other. This enables a customer to use the same physical wireless infrastructure to carry traffic from multiple networks.
Mobile Access CP Solutions
The Mobile Access (MA) Capability Package (CP) enables secure connectivity to a classified network from remote or external end-user devices (EUD) – provided the EUD and the network operate at the same security level.
The solution uses two nested, independent tunnels (Inner and Outer) to protect the confidentiality and integrity of data (including voice and video) as it transits untrusted networks. The Outer tunnel uses Internet Protocol Security (IPsec) and, depending on the solution design, IPsec, or Transport Layer Security (TLS) is used as the Inner tunnel.
Multi-site Connectivity (MSC) CP Solutions
The Multi-Site Connectivity (MSC) Capability Package (CP) connects two or more networks of the same security level. It protects classified data that travels between these networks using two nested, independent encryption tunnels – either Internet Protocol Security (IPsec) generated by a Virtual Private Network (VPN) Gateway or Media Access Control Security (MACsec) generated by a MACsec Device. The MSC CP generically refers to VPN Gateways and MACsec Devices as “Encryption Components.”
Before a data packet is sent across an untrusted network or a network of a different security level, it is encrypted twice: first by an Inner Encryption Component and then by an Outer Encryption Component. At the other end of the flow, the data packet is correspondingly decrypted twice: first by an Outer Encryption Component and then by an Inner Encryption Component. There is no limit to the number of networks or security levels in a single MSC implementation, but with multiple networks of varying security levels, additional filters are required (i.e., firewalls) to guard against unintended data flow between these networks.