Commercial Solutions for Classified (CSfC) is the National Security Agency (NSA)’s commercial cybersecurity strategy that leverages industry innovation to deliver solutions with greater efficiency and security.
The program is founded on the principle that properly configured and layered solutions can provide adequate protection of classified data in a variety of different applications. NSA/CSS policy mandates CSfC as the first option to be considered to satisfy a commercial solution (CS) requirement.
A trusted integrator plays a crucial role in helping government customers implement and secure classified information systems. In addition to being responsible for designing, developing, and integrating solutions that meet the stringent security requirements of the Commercial Solutions for Classified (CSfC) program, a trusted integrator should be evolving into the role of trusted advisor. You can learn more about the role of a trusted integrator on NSA’s FAQ page.
The technology and cyberthreat landscapes are quickly evolving, and so are the needs of government agencies. Thus, the role of a trusted integrator must also evolve into a trusted advisor to not only meet current requirements but also to serve as a true partner to guide customers from start to finish. A trusted advisor not only strives to meet all the NSA requirements, but also the requirements to achieve authority to operate (ATO), application of DISA STIGs, scanning, hardening, RMF packet creation, backend application support, and CDS (if applicable).
With commercial technology, CSfC is enabling the Federal Government to access critical mission data and aid decision-making in real-time inside the adversaries’ decision cycle. Thus, several key factors are driving more emphasis on CSfC, including:
Customer and industry adoption is rapidly increasing:
Per the NSA’s CSfC FAQ, trusted integrators are not required by NSA for implementations, though they are strongly recommended. However, given the complexities of the CSfC program, the cyber landscape, and agencies navigating a hybrid workforce post-pandemic, a trusted integrator should be responsible for the implementation, deployment, and registration process. A trusted advisor, on the other hand, is a trusted integrator that understands your “big picture,” and specifically what your agency or department’s business needs are and how CSfC can be utilized to support those needs.
I shared in a recent CSfC panel that as far as evolution goes, there is a significant difference between the role of trusted integrator vs. trusted advisor. Agencies need trusted advisors to not only help navigate CSfC requirements but also to bring in the appropriate vendors and more holistic solutions to serve customer needs. Rather than the siloed CSfC process, a trusted advisor must be able to help a customer by looking at the holistic requirements to come up with the relevant solution. This can include components and capabilities outside of CSfC, like VDI, boundary security stacks, and campus LAN network health assessments.
Whereas trusted integrators often rely on vendors to do the problem solving, a trusted advisor can look at the whole picture and bring in the best vendors and solutions. Here are key considerations when seeking a trusted advisor for CSfC:
1. Security Expertise: Trusted advisors hold deep knowledge and expertise in cybersecurity, including understanding the specific security requirements and guidelines outlined by the CSfC program’s capability packages and their required annexes.
2. Solution Design: Trusted advisors assess the specific security needs and requirements and design an architecture that integrates commercial off-the-shelf (COTS) products to meet those needs. This involves selecting appropriate components, ensuring interoperability, and maintaining the required security posture. Often, this includes integration with legacy Type-1 encryption architecture and compiling a migration plan from legacy to CSfC.
3. Product Evaluation and Selection: As part of their role, trusted advisors evaluate commercial products to determine their suitability for the CSfC program. They assess products against the program's security requirements, including cryptographic modules and algorithms.
4. Security Implementation: Trusted advisors are responsible for implementing the selected products and technologies into a secure system architecture. This includes configuring the systems, deploying encryption mechanisms, setting up secure communication channels, and implementing other necessary security controls. They must work closely with vendors, suppliers, and system administrators to ensure proper installation and configuration.
5. Testing and Certification: Once the system is implemented, trusted advisors perform rigorous testing and evaluation to validate its security and compliance with the CSfC guidelines. They conduct comprehensive security assessments, vulnerability testing, and penetration testing to identify and mitigate any potential weaknesses or vulnerabilities.
6. Documentation and Compliance: Trusted advisors generate the necessary documentation and assist in the preparation of capability packages and supplicant annexes required for CSfC certifications. This documentation includes capability package and annex checklists, submittal and approval for deviations, architecture diagrams, configurations, and other supporting materials outside of CSfC. For example, this includes verifying DISA STIG compliancy, Cross Domain Solution (CDS) registration with NSDSMO, explanation of compliance to AO, Risk management Framework (RMF) package updates, and other artifacts required for an ATO.
Overall, a trusted advisor goes above and beyond as a crucial partner in the CSfC program, leveraging their expertise to design, implement, and secure classified information systems using commercial technologies. They play a vital role in ensuring the confidentiality, integrity, and availability of sensitive information while adhering to the rigorous security standards set forth by the program.
At Iron Bow Technologies, we seek to go beyond the role of trusted integrator and serve as trusted advisor to our customers through the CSfC program. Here’s how Iron Bow can help you as a trusted advisor:
Need help with implementing CSfC? Learn how Iron Bow can help you as a trusted advisor by reaching out to our team of experts here.