Back in the early aughts, the NSA created a program called CSfC – or Commercial Solutions for Classified. As we explain in our post “Innovation, Integrity & Affordability: Why CSfC Matters,” this program “allows commercial off-the-shelf technology to be used in secure government communications.” Before the CSfC program, cybersecurity and DAR storage solutions were developed solely by those on the government’s payroll. With limited funding, such solutions took years to develop and pass through the approval process. On the other hand, private companies with access to top-tier talent and significant funds released innovative products regularly. 

The CSfC list allows government agencies to access those products as long as certain criteria are met. When this program was in its infancy, the NSA and other agencies would issue waivers if a particular product or service was not CSFC-listed. In fact, the NSA issued waivers for solid-state drives and similar products earlier this year. However, the inclusion of DIGISTOR FIPS SSDs on the CSfC list in April 2023 has eliminated the need for waivers in this space. In this post, we review the benefits of CSfC listing and consider the impact this action might have.

What is Commercial Solutions for Classified (CSfC)?

Commercial Solutions for Classified (CSfC) is an innovative program developed by the National Security Agency (NSA) that aims to provide secure and efficient solutions for handling classified information. In simple terms, it is a framework designed to enable commercial off-the-shelf (COTS) products and technologies to be used in securing sensitive data at the same level as traditional classified systems. This groundbreaking approach allows organizations to take advantage of commercially available technology while ensuring the protection of classified information.

How Does CSfC Function?

The CSfC program recognizes the rapid advancements made in the commercial sector regarding cybersecurity and encryption capabilities. It leverages these developments to create a flexible and cost-effective solution for safeguarding classified data. By utilizing COTS products and technologies, organizations can not only save on costs but also benefit from continuous innovation and improvements driven by the commercial market.

Moreover, CSfC follows strict standards and requirements set by the NSA to ensure the integrity and confidentiality of classified information. Products or technologies seeking certification under this program undergo rigorous evaluation processes to guarantee their suitability for handling sensitive data. To learn more about the validation process, check out this resource from the NSA.

The aim is to establish a trusted ecosystem of solutions that meet the highest security standards while still being commercially viable. Once listed, these products are qualified to safely store top-secret DAR.

CSfC Requires Two Layers of Encryption for DAR Solutions

One key aspect of CSfC capability packages is the concept of layered security, where multiple layers of different security mechanisms are employed to protect classified information. These layered solutions consist of various components such as virtual private networks (VPNs), firewalls, intrusion detection systems (IDS), and cryptographic modules. 

By integrating these different elements, CSfC ensures robust protection against potential threats to federal agencies and other government customers. In a true CSfC solution, there will be at least two layers of encryption designed to protect classified national security systems and other sensitive data.

As this resource from the NIST explains, capability packages with two layers of encryption designed to safely store classified information are often called “COTS end-to-end strategies.” Our Citadel™ K Series SSDs provide one layer of protection – meaning a second layer is still needed from another source. However, stay tuned–we are working on providing that second layer ourselves.

What Value Does the CSfC Program Offer?

• It Offers Access to Affordable, Secure Solutions
• It Makes Government Agencies and Programs More Flexible
• It Enables Faster Deployment of New Technologies
• It Pushes Private Companies to Innovate and Exceed Industry Standards
• It Provides Typical CSfC Clients with the Latest and Greatest Cybersecurity Products
• It Leverages Cutting-Edge Technologies to Protect Our National Security Systems

Why Did the NSA Issue Waivers for Non-CSfC Products?

If cybersecurity and protecting data at rest is so important when dealing with classified information, why would the NSA issue waivers for non-CSfC or GOTS products? A waiver, in this context, refers to an exemption or exception granted by the government that allows certain CSfC requirements to be bypassed. 

In the past, organizations that needed secure drives like our Citadel K Series SSDs could request a waiver from the NSA or another agency. That waiver would allow organizations to use a similar drive that did not entirely meet specific criteria or standards set forth by the CSfC program. After all, the goal of the CSfC program is to provide organizations with access to the latest and greatest cybersecurity products so they can leverage that cutting edge technology to protect our national security. 

Founded in the early 2000s, the CSfC program is still fairly young. As such, many companies have not made CSfC listing a priority. Plus, the validation process is lengthy and complex. It takes quite a while for the NSA’s third party assessors to examine, approve, and place DAR solutions on the list.

Given this, the National Security Agency occasionally grants waivers to organizations who need to quickly implement cybersecurity solutions right now, but do not have access to a GOTS product or one on the CSfC list. 

What Does Digistor’s CSfC Listing Mean for the Future of NSA Waivers?

Before our drives were listed by the CSfC, there wasn’t a storage solution like ours on the official list and people developing similar technology had to obtain a waiver from the NSA. Now that our drives are listed by the CSfC, the NSA no longer plans to issue waivers for similar products. Historically, solution developers and implementers have been able to obtain a waiver because there was no listed storage component. With our drives on the list, there’s no reason to provide the waivers. 

Of course, this does not mean that organizations will cease to pursue waivers and that agencies beyond the NSA will never grant another request. However, agencies are supposed to refrain from issuing waivers. Until drives like ours achieve CSfC listing, ours will continue to be the only products of this nature that the NSA allows government agencies and affiliates to use. They are the sole solution with the agency’s seal of approval, so to speak. 

No Cyber Waiver Needed: Final Thoughts

When the program was founded back in the early aughts, Commercial Solutions for Classified (CSfC) represented a significant shift in how we handle classified information. Today, it harnesses the power of commercial off-the-shelf products and technologies – allowing organizations to embrace cutting-edge innovations without compromising security. With its emphasis on layered security and adherence to stringent standards, CSfC provides a reliable framework for protecting classified data in today’s rapidly evolving digital landscape. 

Because of this intense focus on unparalleled security for highly sensitive DAR, the NSA would grant waivers to non-CSfC solutions only on rare occasions. With the inclusion of our drives on the CSfC components list, however, there is no need to risk the security of classified data by using unapproved products.