Commercial Solutions for Classified (CSfC)

Transcription

1 Commercial Solutions for Classified (CSfC) Program Overview CONFIDENCE IN CYBERSPACE Chris Magaha Deputy Program Manager

2 Strategic Initiative CSfC Layering commercial technologies to protect National Security Systems and information CSfC requirements are specified in Capability Packages (CPs) at the system level and in Protection Profiles (PPs) at the component level; use COTS components to meet requirements BENEFITS Improved access to information Releasable to int l partners Flexibility in selecting products Latest commercial IT technology Flexibility/speed updating IT ASSURANCES Layered solutions; diversity in components Component selection Security testing of Capability Packages Classified Risk Assessment Independent Senior Review of CPs 2

3 CSfC Elements USG & Industry requiring immediate use of the market s most modern commercial hardware and software technologies within NSS to achieve mission objectives Secure solution built by trusted integrators using NSA security requirements & layering approved components Vets Integrators against criteria regarding their organization & personnel User Composed Solution NSA s Trusted Integrator Process Approved COTS components are selected to meet requirements CSfC Components List CSfC requirements are specified in CPs at system level and PPs at component level NIAP Protection Profiles & CSfC Capability Packages Provides the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not years 3

4 Responsibilities & Risks CSfC solutions follow a different risk paradigm from GOTS No shift/conveyance of authority for approving deviations More transparency of risks (shared risk assessments) Shared analysis and acceptance of risks NSA/IAD Customer/AO Responsibilities Author and maintain capability packages in accordance with official customer requirements Solicit community input and comments on capability packages Engage with commercial vendors Engage with NIAP Review and validate CSfC solution body of evidence, including CSfC compliance matrix Record all deviations and submit for approval by NSA Register all CSfC solutions with the CSfC PMO Act on national manager notifications Risks Assess CP/solution risks Publish classified risk assessment Issue national manager notifications Review NSA-published risk assessments Consider how residual risks will affect operational application Accept residual risks and approve operation of CSfC solution 4

5 Mitigating the Risks Specification Testing & Integration Deployment Monitoring & Response Capability Pkgs Trusted Integrators Protection Profiles Agreements with Vendors Component Evaluations Customer Registration Components List System Testing Owner C&A Layering Diversity Establish Situational Awareness Local Monitoring Incident Reporting & Discovery Vendor Mitigations Audit/Assessment Risk Assessments 5

6 Capability Packages Published Virtual Private Network (VPN) v3.0 Campus WLAN v1.1 Data at Rest (DAR) v1.0 Mobile Access CP v0.8 (draft of v1.0) In Process Mobile Access v1.0 (Cellular & Trusted Hotspot) Expected Approval: FEB/MAR15 Data at Rest (DAR) v2.0 Expected Pub: 3Q FY15 Future Mobile Access CP v2.0 Multi Site Connectivity (high speed) Expected Pub: CY16 Campus WLAN v2 (shared wireless layer) Expected Pub: JUN 15 Components CSfC Components Lists updated ~ weekly - Must be under contract with NIAP - NIAP PP with CSfC selections - MoA with NSA 6

7 CSfC Components List Published IPSec VPN Gateways Product Series from Apriva, Aruba, Cisco, Fortress and Juniper WLAN Access System Product Series from Aruba, Cisco and Fortress Certificate Authority Microsoft IPSec VPN Client Product Series from Aruba, Cisco, Microsoft and Samsung SIP Server Cisco Mobile Platform Product Series from Boeing and Samsung Mobile Device Management MobileIron Software Full Disk Encryption Microsoft BitLocker VoIP Applications Cisco and Cellcrypt Traffic Filter Firewall Product Series from Aruba, Cisco and Juniper In Progress IPS Clients WLAN Clients Web Browsers CSfC Components = in NIAP against PP w/csfc selections, MoA with NSA 7

8 CSfC Trusted Integrators CSfC Integrators Build, Test, Document, Maintain/Troubleshoot NSA s Trusted Integrator Process vets Integrators against criteria regarding their organization and personnel - Robust business practices - Access to secure facility/clearances - Test methodologies - Personnel certifications - Understanding of CSfC Memorandum of Agreement (MoA) with NSA Criteria and Application available on CSfC website List published on CSfC website 8

9 CSfC Way Ahead CSfC Specifications and More Publish New/Updated Capability Packages - Multi Site Connectivity (High speed) - WLAN v2 (shared WPA2) - Data at Rest - Mobile Access Update CSfC Components List Update Trusted Integrator List on 9

10 CSfC Registration Process 2 1 CP Execution Customer Implements Solution Based on CP Requirements CP Publication IAD Publishes CP 3 4 Solution Testing Customer Conducts Site Based Testing on Solution 5 Registration Acknowledgement Administrative Acknowledgement of Customer Registration CP Registration Customer Registers with IAD to use CP 6 AO Authorization AO Grants Authority to Operate 10

11 CSfC Takeaways CSfC For maximum benefit Authorizing Officials: Confirm compliance with Capability Package - Use compliance matrices for body of evidence Accept residual risks related to fielding CSfC solutions Ensure solutions are registered with the CSfC PMO Acquisition/Procurement for RFIs, RFPs, SOWs Require products from CSfC Components List - In accordance with CNSSP 11 Recommend CSfC Trusted Integrators For Up-to-Date Information: Sign-up to receive CSfC updates: [email protected] 11

12 Commercial Solutions for Classified National Manager-approved CSfC solutions are specified in Capability Packages (CP) Initial CSfC Components List published on nsa.gov Components used in CSfC solutions are validated against NIAP Protection Profile requirements users ADOPTION Now applying IAD-approved layered commercial solutions to protect classified information CSFC REGISTRATIONS NIAP Protection Profile Evaluations: completed within 90 days (4-6x faster than EAL-based NIAP evals) NIAP Product Compliance List (PCL) grew 10x since Dec (2 product lines to 21) DoD and IC acquisitions increasingly comply with CNSSP-11 UP ~2X # of CSfC registrations in 1QCY14 exceeded CY13 total Typically 2014 UP ~3X CSFC MOAS SIGNED 9 new CSfC MoA s signed with Component vendors in 2QCY