CSfC

Sell directly into the Intel Community by completing the Commercial Solutions for Classified (CSfC) program

CSfC White

CSfC

Sell directly into the Intel Community by completing the Commercial Solutions for Classified (CSfC) program

What Is CSfC?

The National Security Administration (NSA) developed the Commercial Solutions for Classified (CSfC) program as part of a cybersecurity strategy to quickly deliver secured and innovative commercial layered solutions to Government agencies which protect classified NSS data.
U.S. Government customers increasingly require immediate use of the market’s most modern commercial hardware and software technologies within National Security Systems (NSS) in order to achieve mission objectives.

The Program: CSfC

The CSfC program was developed to ensure readily available solutions for procurement provided adequate protection of classified data in a variety of different applications.
NSA/CSS policy mandates CSfC as the first option to be considered to satisfy a CS requirement. The Committee on National Security Systems (CNSS) has issued a CSfC Advisory Memorandum that provides guidance to U.S. Government departments and agencies as to the responsibilities for maintaining the security posture of NSS using CSfC solutions.
In accordance with CNSS Policy 7, only approved products on the CSfC Components List can be used in commercial cybersecurity solutions protecting classified NSS data.
CSfC is a secure alternative to GOTS. NSA will examine the client’s needs to ensure the right tool is used at the right place and in the right environment.
NSA’s strategy for protecting classified information continues to employ both COTS and GOTS solutions. However, NSA will look first to CSfC in helping clients meet their needs for protecting classified information.
Typical CSfC clients are National Security Systems (NSS) stakeholders, which includes the Department of Defense (DoD), the Intelligence Community (IC), Military Services and other federal agencies. These clients utilize commercial solutions based on CSfC Capability Packages (CPs) to quickly implement Cybersecurity solutions to satisfy their mission objectives.

The Essentials: Security Requirements

  1. Vendors who wish to have their products eligible as CSfC components of a composed, layered CS/IA solution, must build their products in accordance with the applicable U.S. Protection Profiles and submit their products using the Common Criteria process.
  2. NSA considers the totality of circumstances known to NSA
  3. The vendor will enter into a Memorandum of Agreement (MoA) with NSA
  4. Interested vendors must complete and submit the CSfC Questionnaire (PDF) for each product.

The Process: Done Once, Done Right

Corsec’s Three-Step Methodology helps to decrease risk, increase security, and accelerate sales; guaranteeing listing success – Done Once, Done Right!

Corsec Assess for FIPS 140-2. Common Criteria, and the DoDIN APL

Assess

An Assessment of Your Company & Product to Identify an Efficient Path Through the Program

Corsec Enhance for FIPS 140-2. Common Criteria, and the DoDIN APL

Enhance

Design Consulting to Harden Your Product Against CSfC Requirements and Mandates

Corsec Validate for FIPS 140-2. Common Criteria, and the DoDIN APL

Validate

End-to-End Support to Guide You Through The Entire CSfC Process

Corsec Assess for FIPS 140-2. Common Criteria, and the DoDIN APL

Assess

An Assessment of Your Company & Product to Identify an Efficient Path Through the Program

Corsec Enhance for FIPS 140-2. Common Criteria, and the DoDIN APL

Enhance

Design Consulting to Harden Your Product Against CSfC Requirements and Mandates

Corsec Validate for FIPS 140-2. Common Criteria, and the DoDIN APL

Validate

End-to-End Support to Guide You Through The Entire CSfC Process
Determining the appropriate approach through the CSfC program is essential; depending on your product, the path you pursue, and the engineering changes required, your path though the program could alter greatly.