NSA CSfC DAR Certification Requirements

The NSA provides detailed, vendor-agnostic Capability Packages (CPs) that outline specific architectural requirements and configurations for implementing secure solutions. Adhering to these guidelines ensures the solution is configured securely. 

These requirements are essential for organizations implementing CSfC Data at Rest protections. Information on implementation guidance can be found here:
CSfC Data at Rest overview.

Capability Package

An NSA Capability Package (CP) is a set of vendor-agnostic, solution-level specifications published by the National Security Agency (NSA) under its Commercial Solutions for Classified (CSfC) program.

The purpose of a CP is to provide U.S. government customers with the architectural and configuration guidance needed to build and deploy secure systems that protect classified information using widely available, commercial off-the-shelf (COTS) products, rather than relying solely on traditional, custom-made government-only solutions.

This approach enables consistent architectures based on validated commercial technologies. This SSD security overview includes information related to enterprise-ready storage protections.

  • Scope: The package provides guidance for protecting data when the end-user device (EUD) is powered off or in an unauthenticated state, effectively rendering the device unclassified in that condition and easing transportation and storage requirements per AO policies. This state-based protection requirement supports secure field use, transport, and storage of devices.
  • Implementation: The CP outlines specific architecture and configuration requirements, allowing customers and Trusted Integrators to build and register solutions tailored to their specific mission needs. Integrators must document each configuration step and ensure all components appear on the approved Components List.
  • Vendor Agnostic: The CP is vendor-agnostic, meaning it specifies security requirements rather than particular products, fostering innovation and competition among commercial vendors. This allows customers to select validated components that best fit operational, platform, or mission needs; a general overview of secure system deployment considerations is available if needed.

CSfC DAR Authorization Process

The process for achieving CSfC Data-at-Rest (DAR), solution registration, and authorization is a rigorous, multi-step process that leverages stringent commercial product standards and mandates a defense-in-depth architecture.

The rigorous standards ensure that the commercial solutions can adequately protect classified information using layered security. This layered model enhances resilience and reduces dependency on any single encryption implementation.

  • Component Evaluation: Only commercial products that have undergone rigorous testing and evaluation according to the Common Criteria process and the applicable U.S. Government-approved Protection Profiles (PPs) can be used. These are listed on the official CSfC Components List.
  • Layered, Diverse Architecture: The DAR Capability Package (CP) mandates two independent layers of encryption using products that, ideally, come from different manufacturers or have demonstrably different code bases and cryptographic implementations to ensure product diversity and mitigate systemic vulnerabilities. This two-layer design ensures that compromise of one layer does not undermine the entire Data at Rest architecture.
  • NSA Risk Assessment: The NSA performs risk modeling, vulnerability analysis, and an independent senior review of the CPs themselves, providing guidance and mitigation strategies. These assessments support standardized, repeatable implementation practices across all Data at Rest solutions.

CSfC Component List

The CSfC Components List is a curated, publicly available inventory of commercial off-the-shelf (COTS) products that the National Security Agency (NSA) has approved for use in layered solutions to protect classified information.

  • Pre-evaluated: Every product on the list has undergone rigorous, independent security evaluations through the National Information Assurance Partnership (NIAP) Common Criteria program, ensuring they meet U.S. Government-approved security requirements (Protection Profiles). A validated directory of approved components can be referenced at this federal-use component overview.
  • Vendor-agnostic: The list is product-neutral, enabling customers to choose from a variety of options to build a solution that meets their specific functional and operational needs. This flexibility supports performance tuning, platform specialization, and mission-specific configurations.
  • Foundation for Solutions: Products from this list are the building blocks for the "defense-in-depth" architecture mandated by CPs, where two independent layers of approved encryption are required to protect data. Common solution designs include combining hardware-based encryption with software-based full disk encryption to meet requirement thresholds.
  • Expedited Deployment: By using pre-approved components, the list helps to significantly reduce the time and cost associated with certifying and deploying classified systems, as extensive product testing is already complete. This accelerates rollout timelines and lowers integration risk for Data at Rest implementations.

Third-Party Testing

Third-party testing organizations play a crucial role in the Commercial Solutions for Classified (CSfC) Data-at-Rest (DAR) process by primarily evaluating individual commercial products to stringent security standards, rather than testing the final integrated solution. Their specific roles include:

  • Component Certification: Independent testing laboratories, approved under the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme, conduct rigorous evaluations of commercial products against U.S. Government-approved Protection Profiles (PPs). These PPs are sets of security requirements and test activities for a particular technology (e.g., full disk encryption). This ensures standardized security evaluation across all eligible commercial components.
  • Validation: These labs assess whether a product meets the specific security requirements outlined in the relevant PP. If the product passes the evaluation, NIAP issues a validation certificate, and the product is added to the CSfC Components List.
  • Ensuring Trustworthiness: This independent testing provides assurance to the NSA and government customers that the commercial components are sufficiently robust and trustworthy to be used in a layered architecture for protecting classified data. This strengthens confidence in component reliability across classified use cases.
  • Assurance Continuity: If a product on the Components List is modified, a third-party lab may be engaged by the vendor and NIAP to determine if the changes affect the existing certification, thus ensuring the product's continued compliance. This continuity process ensures validated products remain compliant across version updates and lifecycle refinements.