CSfC for DAR Vendor Selections

Protection of classified DAR is critical to ensure mission effectiveness.

Given the importance of effective DAR protection and the complexity of supporting diverse mission requirements, it is recommended to select a vendor with validated capabilities and expertise to partner with, ensuring your DAR protection objectives are effectively met. 

Selecting a solution should include not only the evaluation of technical effectiveness and product availability, but also the vendor’s partner ecosystem, data and operational expertise, and ability to support classified customer initiatives.

This page outlines the essential considerations when choosing a vendor to support CSfC Data at Rest (DAR) mission requirements.  

Full-Stack or Independent Vendors

Full-stack vendors provide all components to meet CSfC for DAR requirements. This includes NSA-certified SEDs with HW FDE, PBA software, and SW FDE. A full-stack vendor requires a manufacturer diversity letter from the NSA. Only two vendors have a full-stack of certified capabilities – more information on specific vendors can be found here.

The alternative is selecting a combination of vendors to meet solution requirements. The most common approach is utilization of an SED vendor for hardware encryption and a software vendor to provide PBA and Software FDE capabilities.

The main advantage of a full-stack vendor is simplified sourcing, support, and procurement workflows. Full-stack vendors may also offer reduced pricing through bundled solutions and streamlined lifecycle management.

Certified Portfolio

Mission needs may require multiple drive types. To support this requirement, it is important to understand the vendors’ current certified drive portfolio as well as their certification roadmap to ensure future availability.

Additionally, for programs involving manned or unmanned vehicles, it is essential to confirm that the vendor supports automotive temperature specifications to meet operational conditions.

Partner Ecosystem

CSfC Data at Rest solutions operate as integrated components within broader mission systems. A critical criterion in vendor selection is understanding their partner ecosystem. CSfC DAR vendors with significant relationships with device OEMs and Federal System Integrators will offer simplified procurement, allowing their solution to be included directly within the system order.

Vendors with strong partnerships are typically likely to have completed interoperability testing to validate integration, lowering the risk of deployment challenges or operational failures.

Enterprise Management Capabilities

Deploying CSfC Data at Rest at enterprise scale requires enterprise administration tools. Tasks that these tools will need to support include provisioning, authentication management, policy enforcement, firmware updates, logging, and audit support.

A vendor should offer multiple administration options to align with mission requirements. Enterprise management administration tools may include:

  • Command Line Interface (CLI) provides a simple Linux-based command tool that can be used independently or integrated with existing consoles.
  • Enterprise management console provides an independent console. Ideally, the console should provide comprehensive management of PBA and Software FDE with role-based access controls.

US-Based Software Team

In selecting a vendor for the software components of CSfC DAR, an assessment of their engineering team and processes is required. Of particular importance is selecting a vendor that exclusively uses a U.S.-based team for code development. Utilizing foreign developers and/or outsourcing code to 3rd parties may expose code to supply-chain vulnerabilities and compromise code efficacy.

The team should follow NSA guidelines for integrating security throughout the Software Development Life Cycle (SDLC). These include threat modeling, secure coding principles, input validation and sanitization, and use of secure frameworks.

Given the unique mission requirements, programs should also ensure that the vendor has the experience and capabilities to support customer development initiatives. This should include access to developers with TS/SCI clearance.

Expertise and Clearance

One of the most important factors in vendor selection is the vendor’s ability to support specific mission requirements. They should have expertise in data protection and the operational requirements of a defense or intelligence community. This includes:

  • Background and focus on defense and intelligence communities. Deep ties within the defense and intelligence communities.
  • Employment of team members who have data protection and defense operational experience.
  • Employ team members with TS/SCI clearance to s classified discussions. Ideally, the vendor should have access to SKIFs to support classified discussions on unique mission requirements.