The Commercial Solutions for Classified (CSfC) Program is a process that enables commercial products to be used in layered solutions to protect classified information while speeding up the deployment timeline so that a solution can be fielded in months, versus years. The program was designed to allow use of multiple unclassified commercial off the shelf (COTS) products instead of classified Type 1 Government accredited products to secure classified data within Government deployments.
CSfC Capability Packages require CSfC-approved components, however there are no component categories or Protection Profiles (PP) specified for hardware security modules or key managers, like those offered by Thales Trusted Cyber Technologies (TCT). Many of Thales TCT’s products can address several requirements found in various PPs (i.e. PP for Certification Authority) to support a deployment that can become CSfC-approved.
Thales TCT’s encryption and data protection portfolio can be used to support layered solutions that increase cyber resiliency. The NSA’s CSfC program office has established several Capability Packages to provide DoD and government agencies with specific technical architectures and well-documented approaches to protect data in transit and data at rest.
Since a PP for HSMs does not exist, Thales TCT’s Hardware Security Modules (HSMs) are not CSfC approved. However, Thales TCT’s HSMs are officially approved for use in National Security Systems. The Memorandum for The National Security Systems Public Key Infrastructure Member Governing Body Document, CNSS-063-2017, was issued in January 2018 and explicitly approves the Thales TCT’s Luna SA HSM as an approved Hardware Security Module for the National Security Systems Public Key Infrastructure. When the CSfC program creates an HSM Component category and develops a corresponding PP, Thales TCT HSMs will be submitted for approval.
While there are no PPs for HSMs, several Capability Packages make reference to a Public Key Infrastructure (PKI) or using an HSM. Many customers have used Thales TCT’s Luna SA HSM to meet the full intent of their designated PP. Thales TCT’s HSMs can fit into all available CSfC capability packages if they are deployed using an online Certificate Authority (CA). This is typically the case for a true enterprise PKI solution. Tactical deployments make use of off-line CAs and therefore, do not require (per CSfC policy) the use of an HSM in their system although it is still considered a best security practice to use an HSM to protect the keys of off-line CAs.
There are no explicit requirements for an HSM in the Data at Rest capability package, however it calls out some standard key management requirements. Incorporating the use of the Thales TCT HSM will enhance the overall security posture of the solution.
There is not a PP applicable to Thales High Speed Encryptors (HSE) so they are not CSfC approved. The only approved PP for network encryption at Layer 2 is for a network device that implements Media Access Control Security (MACsec) encryption.
MACsec is a standard that was designed to encrypt Local Area Networks. It is increasingly built into third-party switches or routers, and is built into the ASICs (or silicon) of many of those devices. MACSec is generally very low cost or even free with some devices, and it has adequate performance due to its use of hardware encryption.
However, there are several practical problems with MACSec. From a standards perspective, MACSec is not ideal for many carrier links because of the encrypted frame format and key management messages. MACSec is also not suitable for multipoint topologies and does not provide the high assurance features that the Thales HSE product family offers:
By contrast, HSE uses a carrier agnostic key management and encryption method based on formal IEEE recognized key management frames that means HSEs can work across all carrier environments. HSEs are field upgradable, support built-in crypto-agility and have higher performance than MACsec solutions.
While CSfC targets P2P deployments, Thales’s HSE offering provides an overall more secure and robust network encryption solution to meet the needs of our Federal customers.
There is not a PP applicable to Thales TCT KeySecure for Government (KeySecure), so they are not CSfC approved. In fact, CSfC currently has no notion of centralized key management. However, Thales TCT’s KeySecure appliance greatly simplifies the ability to manage, store and secure cryptographic keys. It also facilitates near-instant and cryptographically secure full disk erasure. These capabilities allow for strong key management in support of various CSfC models.