Targeting the DoD? The Different Paths to Military Sales

With the military’s love of acronyms and the many and varied requirement definitions, understanding how to break into Department of Defense (DoD) sales can be a daunting proposition. How do these DoD and international requirements relate to one another and what does your product need?

A few of the requirements we are hearing questions on are Suite B cryptography, Commercial National Security Algorithm (CNSA), Commercial Solutions for Classified (CSfC), and FedRamp. Let’s take a look at each of these and how they relate to Corsec’s core offerings of DoDIN APL, Common Criteria, and FIPS 140-2.

First, let’s start with differentiating between DoD purchasing for unclassified systems and National Security Systems (NSS).  Many DoD networks are unclassified and use commercial off-the-shelf (COTS) product for these networks. Common Criteria, FIPS 140-2, and DoDIN APL were designed to provide assurance for these types of products.  NSS includes systems used or operated by an agency or organization that us involved in intelligence activities, cryptologic activities related to national security, command and control of military forces, or is an integral part of a weapons system.  All classified government networks are included in the NSS definition. So, in general NSS deals with classified networks, but some sensitive networks may also be designated NSS.  There is a Committee on National Security Systems (CNSS) that sets policies for NSS systems. The CNSS and National Institute of Standards and Technology (NIST) collaborate to provide policies for unclassified and NSS networks.

Suite B Cryptography/CNSA Suite

NIST manages the FIPS 140-2 standards, which the DoD relies on for assurance on any COTS product using cryptography on a DoD network.  NIST has taken the FIPS 140-2 requirements and further refined them for NSS networks. These refinements include a reduced list of allowed cryptographic algorithms and were called Suite B cryptography. In January 2016, the NSA defined the Commercial National Security Algorithm (CNSA) Suite, which is a new set of algorithms that replace the Suite B algorithm set. CNSA Suite will be in place until a new set of quantum computer resistant algorithms can be identified.  All algorithms on the CNSA Suite list are valid in FIPS 140-2, but not all FIPS 140-2 algorithms meet CNSA Suite requirements.  It is important to remember, that these requirements are only for products that are determined to be NSS.


CSfC is a list, maintained by NSA of products that are approved for use as NSS.  Products on this list must:

  • Have a valid FIPS 140-2 certificate
  • Have, or be in the process of achieving a Common Criteria certificate against a NIAP-approved protection profiles.
  • Have a signed memorandum of agreement with NSA that vulnerabilities in the product will be fixed in a timely manner.

NSA has also developed capability packages, to further define the CSfC requirements for particular products.  Capability packages are product neutral, but give customers details on the guidelines and restrictions for commercial products that are configured in a particular manner.  Some of these capability packages require products to meet CNSA Suite cryptographic requirements.  It is likely more of the capability packages will include a CNSA Suite requirement in the future.

As we can see, Common Criteria and FIPS 140-2 are building blocks for many of these requirements. How does the DoDIN APL fit into this picture?  DoDIN APL does not inherently focus on NSS. It is designed to cover COTS products that support DoD unified capabilities. While there are requirements within DoDIN APL testing that cover systems that store classified data or operate in a classified environment, there is no requirement for a product to be capable of doing so.  In general, products on the CSfC are also list on the DoDIN APL, but not all products on the DoDIN APL qualify for CSfC.

Which list do I need to be on? This really depends on the product and its use. If your product is not intended to be operated on a classified network then DoDIN APL is the correct list. If you are looking to move into the Intelligence Community, then listing on both the DoDIN APL and the CSfC would be useful.


The FedRamp program is designed to cover cloud service providers.  These services often do not easily fit into a Common Criteria or DoDIN APL evaluation.  FedRamp is operated by the Department of Homeland Security (DHS).  Like DoDIN APL, there are requirements based on the type of product.  FedRamp and UC APL also both include Trusted Internet Connection (TIC) testing for interoperability.  Like CC and FIPS, FedRamp uses independent labs to perform government testing, though the set of labs is different.  FedRamp includes templates that lay out various controls a product must meet.  Some security controls include a FIPS 140-2 requirement.

Roadmap into DoD

Taking all of this information into account, how do you start?  Corsec can walk you through all of these certifications and provide advice on which certifications to pursue.  In general, the first step is to evaluate the cryptographic operations of your product.  A FIPS 140-2 validation and Common Criteria certification can be pursued at the same time.  These will be building blocks for other lists and requirements.  DoDIN APL would generally be the next step.  FedRamp and CNSA Suite are more specialized and would only be needed by some products, in some deployments.  Of course, each product is different and the needs of your customers should drive all certifications.  Corsec excels at monitoring the certification space and helping our clients stay in the forefront of this space.