Networking

NSA’s CSfC Program Provides Classified Agencies with Solutions for Telework

Agencies can choose from a list of pre-vetted commercial products to build out secure networks.

Adam Stone writes on technology trends from Annapolis, Md., with a focus on government IT, military and first-responder technologies.

In the wake of the COVID-19 pandemic, government agencies that work in the classified space have been seeking commercial solutions to support the rise of telework.

The U.S. Army has turned to the Commercial Solutions for Classified Program to enable those efforts. Run by the National Security Agency, CSfC makes it possible for national security systems owners to use commercial products in layered solutions for telework while protecting classified information and systems.

Thanks to CSfC, “we were able to rapidly deploy these technologies and provide secure communications for users working from their telework environment or temporary duty location,” says Brig. Gen. Christopher Eubank, commanding general, 7th Signal Command.

Based at Fort Gordon in Georgia, Eubank and his team have worked on a pilot program that relies on CSfC to allow workers to access multiple networks through a single end-user computing device, and to have access to classified and unclassified networks from the same device.

It’s a strong example of the ways in which CSfC can empower National Security Systems owners to meet the challenges of the telework era.

Commercial Solutions Help Agencies Meet New Challenges

NSA Deputy Director for CSfC David Ziska points to a few key aspects of the program that may be worth consideration — primarily, that CSfC streamlines the process of getting commercial solutions into a classified environment.

“We are the only option for classified telework accommodation through commercial products,” Ziska notes.

NSA’s pre-vetted list of components includes a range of tools needed to support telework, such as authentication servers from Aruba and Cisco; VMware’s Workspace ONE email client; end-user devices from Motorola and Samsung; Transport Layer Security–protected servers from Cisco, Palo Alto Networks and others; IP Security VPN clients from Cisco, Microsoft and Samsung; and Aruba and Cisco VPN gateways.

Having a pre-vetted inventory of solutions can significantly accelerate an agency’s modernization efforts. “With the approved list, the components are more accessible, and procurement can be less of a challenge,” he says.

We were able to rapidly deploy these technologies and provide secure communications for users working from their telework environment or temporary duty location.”

Brig. Gen. Christopher Eubank Commanding General, 7th Signal Command, U.S. Army

In the absence of CSfC, agencies would likely have to seek out bespoke solutions to their connectivity needs. That slows the wheels and also sets a high bar for the amount of expertise needed to use the technology. Commercial products available through CSfC “are more accessible,” Ziska says. “Most customers are already familiar with their operations.”

Most of the items on the list “are things you have used already — smartphones, different tablets — and that familiarity gets them up to speed a little quicker,” he says.

“We like to think that the components list is pretty comprehensive. There are 22 categories, with dozens of product lines. Through those selections, you should be able to put together a strong solution.”

NSA also works to ensure the list is current. “Having the latest and greatest is a big selling point for CSfC,” Ziska says. “There is an open door for any vendor that wants to have its product evaluated, and the dynamic nature of the list ensures that all those great products are available. Keeping up with industry is a benchmark of success for CSfC.”

CSfC Enables Strong Telework Support for the Army

The initiative at Fort Gordon is designed to lead to solutions for use throughout U.S. military installations. In the wake of the pandemic, that effort has taken on special urgency. “The pandemic has increased the need for the Army to support telework,” Eubank says.

But remote work presents a new technical challenge: how to give workers outside the office access to classified networks and data without compromising security. The ability to rapidly acquire and deploy commercial tools proved key to that effort.

“CSfC has been very important to the teleworking population and increased network connectivity efforts, because the technologies used have allowed for a faster and more cost-effective approach to providing access to both the unclassified and classified networks,” Eubank says.

22

The current number of technology categories on the CSfC component list index

Source: National Security Agency Central Security Service

By tapping the extensive CSfC product list, the Fort Gordon team was able to significantly enhance the Army’s remote work capability in response to COVID-19.

“The Fort Gordon CSfC program has allowed Army units such as Army Futures Command in Austin, Texas, to rapidly gain access to classified networks in newly occupied buildings, thus eliminating the need to install time-consuming and costly, protected distribution systems for traditional classified access,” Eubank says.

“Another advantage of this technology is the reduction of risk from losing classified systems while traveling or teleworking, as the devices themselves store no data thanks to the technologies involved,” he says.

EXPLORE: What are the implications of enabling remote access to classified data?

Air Force Upgrades to Enable Secure Telework

The Army is not alone in seeking best-of-breed solutions via CSfC. The Air Force Research Lab likewise has tapped the NSA program in support of emerging needs.

The AFRL’s Information Directorate at Rome, N.Y., is home to a program that has stepped up “to design and distribute a classified telework solution that was deployed en masse to Air Force senior leaders,” says David M. DeProspero, a deputy program manager within the directorate.

“The CSfC program provides frameworks called capability packages that outline how a site should configure a series of commercial devices in order to achieve a high level of data encryption, sufficient for classified communication,” DeProspero says.

For example, one of AFRL’s most common implementations of CSfC involves a double VPN tunnel transport technique. This strategy “allows a site to transport one or more networks of higher classification over a network of lower classification,” DeProspero says.

Driven by pandemic needs, he says, AFRL deployed the classified telework solution to 1,000 Air Force senior leaders in 2020. The program now includes hub locations around the world, with smaller implementations at U.S. bases.

The effort drew from CSfC’s extensive list of consumer-grade commodity hardware, including “switches, routers, VPN devices, intrusion prevention and detection devices, firewalls, certificate authorities, hard drives, telephones, mobile communication devices and many others,” he says.

CSfC played a crucial role in helping AFRL ramp up telework quickly and securely. The program “represents a revolutionary approach to a very dated method of classified communications,” DeProspero says.

While government-designed cryptographic hardware has always enabled classified communication, “the technology landscape has evolved to a stage where there are other ways to reach the same end goal,” he says. “Modern communication technologies are fast, inexpensive, reliable and backed by warranties with top-tier companies and providers.

“Further, commodity hardware provides for more robust and resilient architectural configurations, and far more flexibility in the design and configuration of those solutions.”

Commercial Tools Help Army, Air Force Upholding Their Missions

For the Army, CSfC has proved critical in maintaining operational readiness. By supporting the rising need for remote connectivity, the Fort Gordon team has enabled military commanders to meet the mission consistently, even in the midst of the COVID-19 crisis.

For the Army — as for any agency that handles classified information — the ability to support telework isn’t just about employee productivity; it’s also about upholding the national security mission, even in turbulent times.

“Senior Army leaders are able to maintain unclassified and classified connectivity during travel, thus maintaining critical situational awareness and command-and-control functions while away from their home station information systems,” Eubank says.

CSfC also delivers guidance to ensure that products are put to use effectively. For instance, a capability package includes details on how hardware can be configured to let classified data flow over unclassified networks.

“While the communication hardware and the data transport techniques are two main components of a telework solution,” DeProspero says, “one must not forget about end-user experience.”

CSfC Best Practices

For agencies looking to utilize the Commercial Solutions for Classified Program, Ziska says it’s best to view it as a collaborative effort.

“The best practice is to engage with us early and often,” he says. “Sharing your ideas for what you are trying to achieve helps us ensure that what you are using is going to fit with the CSfC model. That open and transparent communication is a big part of making a CSfC solution a success.”

More than just a shopping list, CSfC is a partnership between NSA and the agencies. “We are very hands on,” Ziska says. “We are all on the same team, and we are advocates to make these solutions a success. Helping people work through their concerns is definitely part of the service we provide.”

To that end, agencies should expect to have NSA sign off on their CSfC-inspired efforts. “There is a review process where we make sure the t’s are crossed and the i’s are dotted, to ensure the solution meets the requirements and that everything has been configured correctly,” he says.

Photography by Matthew Odom