Trusted Advisor Vs. Trusted Integrator for CSfC: What’s the Difference?

What is CSfC?

Commercial Solutions for Classified (CSfC) is the National Security Agency (NSA)’s commercial cybersecurity strategy that leverages industry innovation to deliver solutions with greater efficiency and security.

The program is founded on the principle that properly configured and layered solutions can provide adequate protection of classified data in a variety of different applications. NSA/CSS policy mandates CSfC as the first option to be considered to satisfy a commercial solution (CS) requirement.

What is a Trusted Integrator?

A trusted integrator plays a crucial role in helping government customers implement and secure classified information systems. In addition to being responsible for designing, developing, and integrating solutions that meet the stringent security requirements of the Commercial Solutions for Classified (CSfC) program, a trusted integrator should be evolving into the role of trusted advisor. You can learn more about the role of a trusted integrator on NSA’s FAQ page.

 What is a Trusted Advisor?

The technology and cyberthreat landscapes are quickly evolving, and so are the needs of government agencies. Thus, the role of a trusted integrator must also evolve into a trusted advisor to not only meet current requirements but also to serve as a true partner to guide customers from start to finish. A trusted advisor not only strives to meet all the NSA requirements, but also the requirements to achieve authority to operate (ATO), application of DISA STIGs, scanning, hardening, RMF packet creation, backend application support, and CDS (if applicable).

What Is Driving the Renewed Focus on CSfC?

With commercial technology, CSfC is enabling the Federal Government to access critical mission data and aid decision-making in real-time inside the adversaries’ decision cycle. Thus, several key factors are driving more emphasis on CSfC, including:

• The Covid-19 pandemic, which gave agencies a strong understanding of contingency plans that should also include employees working from home
• The need for quantum-resistant encryption methods
• Zero Trust Architecture requiring a more granular level of analytics and reporting
• Enabling the warfighter in areas that legacy type-1 encryption devices wouldn’t normally be allowed

Customer and industry adoption is rapidly increasing:

• Fourfold increase in registered DoD/IC/Civil Agency customers since 2015.
• Over 80 trusted integrators to build, test, and maintain CSfC solutions according to gov.
• Hundreds of approved commercial components spanning key technology categories.
  
  

Trusted Integrator Vs. Trusted Advisor: What’s the Difference?

Per the NSA’s CSfC FAQ, trusted integrators are not required by NSA for implementations, though they are strongly recommended. However, given the complexities of the CSfC program, the cyber landscape, and agencies navigating a hybrid workforce post-pandemic, a trusted integrator should be responsible for the implementation, deployment, and registration process. A trusted advisor, on the other hand, is a trusted integrator that understands your “big picture,” and specifically what your agency or department’s business needs are and how CSfC can be utilized to support those needs.

I shared in a recent CSfC panel that as far as evolution goes, there is a significant difference between the role of trusted integrator vs. trusted advisor. Agencies need trusted advisors to not only help navigate CSfC requirements but also to bring in the appropriate vendors and more holistic solutions to serve customer needs. Rather than the siloed CSfC process, a trusted advisor must be able to help a customer by looking at the holistic requirements to come up with the relevant solution. This can include components and capabilities outside of CSfC, like VDI, boundary security stacks, and campus LAN network health assessments. 

What to Look for in a Trusted Advisor

Whereas trusted integrators often rely on vendors to do the problem solving, a trusted advisor can look at the whole picture and bring in the best vendors and solutions. Here are key considerations when seeking a trusted advisor for CSfC:

1. Security Expertise: Trusted advisors hold deep knowledge and expertise in cybersecurity, including understanding the specific security requirements and guidelines outlined by the CSfC program’s capability packages and their required annexes.

2. Solution Design: Trusted advisors assess the specific security needs and requirements and design an architecture that integrates commercial off-the-shelf (COTS) products to meet those needs. This involves selecting appropriate components, ensuring interoperability, and maintaining the required security posture. Often, this includes integration with legacy Type-1 encryption architecture and compiling a migration plan from legacy to CSfC.

3. Product Evaluation and Selection: As part of their role, trusted advisors evaluate commercial products to determine their suitability for the CSfC program. They assess products against the program's security requirements, including cryptographic modules and algorithms.

4. Security Implementation: Trusted advisors are responsible for implementing the selected products and technologies into a secure system architecture. This includes configuring the systems, deploying encryption mechanisms, setting up secure communication channels, and implementing other necessary security controls. They must work closely with vendors, suppliers, and system administrators to ensure proper installation and configuration.

5. Testing and Certification: Once the system is implemented, trusted advisors perform rigorous testing and evaluation to validate its security and compliance with the CSfC guidelines. They conduct comprehensive security assessments, vulnerability testing, and penetration testing to identify and mitigate any potential weaknesses or vulnerabilities.

6. Documentation and Compliance: Trusted advisors generate the necessary documentation and assist in the preparation of capability packages and supplicant annexes required for CSfC certifications. This documentation includes capability package and annex checklists, submittal and approval for deviations, architecture diagrams, configurations, and other supporting materials outside of CSfC. For example, this includes verifying DISA STIG compliancy, Cross Domain Solution (CDS) registration with NSDSMO, explanation of compliance to AO, Risk management Framework (RMF) package updates, and other artifacts required for an ATO.

Overall, a trusted advisor goes above and beyond as a crucial partner in the CSfC program, leveraging their expertise to design, implement, and secure classified information systems using commercial technologies. They play a vital role in ensuring the confidentiality, integrity, and availability of sensitive information while adhering to the rigorous security standards set forth by the program.

What Makes Iron Bow a Trusted Advisor?

At Iron Bow Technologies, we seek to go beyond the role of trusted integrator and serve as trusted advisor to our customers through the CSfC program. Here’s how Iron Bow can help you as a trusted advisor:

• Key Industry Partnerships: Iron Bow has longstanding relationships with leading networking, virtualization, security, and system integration technology vendors with ongoing education in the latest technologies.
• Customer Intimacy: The Iron Bow Way is “Customer first and mutual respect for all members of our community.” We possess the full understanding of our customers’ IT environments as well as the way they need technology to support day-to-day work.
• The “Right” Skills: Iron Bow offers the unique network and software expertise through developers and network engineers on staff. These groups work together daily to provide the right blend of skillsets needed to perform this work and are capable of a full end-to-end network design.
• Automation: We have the ideal solution built with infrastructure as code and options to leverage device as a service to make the most of your implementation. We can help you with deployment automation as well as sustainment automation.

Need help with implementing CSfC? Learn how Iron Bow can help you as a trusted advisor by reaching out to our team of experts here.