CSfC Technology Day 2019 recap

On October 10, 2019 in Baltimore, Maryland, component suppliers, trusted integrators, the National Security Agency (NSA), the Department of Defense (DoD), defense primes and other companies assembled to discuss cutting-edge data security solutions to protect national security systems (NSS). The second annual Commercial Solutions for Classified (CSfC) Technology Day sponsored by Mercury Systems, with partner and trusted integrator, Tribalco, presented a comprehensive lineup related to the program and significant data security solutions.

The event built on the success of the first event in 2018 that highlighted the benefits of the program and exposed end users to suppliers and trusted integrators supporting CSfC solutions. This year experts spoke on three main areas:

1. Updates to new data-at-rest (DAR) capability packages
2. Solutions for secure mobility and the tactical edge
3. Protections for future use cases including unattended operations and anti-tamper

In its fifth year, the CSfC program has gained authority as an agile and desirable alternative to Type 1 cryptographic products. The high participation at this event by many of the defense primes and government suggests that CSfC-certified solutions are requirements in many new program request for proposals (RFP). The NSA, again in large attendance as in last year, communicated that registrations and fielded solutions are rapidly increasing with DAR solutions being the largest percentage increase (figure 1).

CSfC Registrations
October 2018 through July 2019

Figure 1: DAR Data at Rest; WLAN Campus Wireless Local Area Network; MSC Multi-side Connectivity; MA Mobile Access

The NSA delivered well-received updates on the next two DAR capability package releases. The new version 4.8, out for industry comments until December 5, 2019, covers numerous new use cases and design solutions. Enterprise management has been included for a DAR enterprise solution leveraging a complementary CSfC data-in-transit (DIT) capability package or a high assurance government-off-the-shelf (GOTS) solution as the secure communication channel. The long-awaited use case for unattended operations covers data centers, overrun scenarios and unmanned systems.

This will dramatically expand the application coverage for these DAR solutions previously only achieved by using a Type 1 product. Additionally, this version adds specifications for a two-hardware full disk encryption (HWFDE) design solution giving users new flexibility for DAR protection especially in the absence of a Linux-based software full disk encryption (SWFDE). The next version 5.0, due for review in May of 2020, will focus on defining operational control and anti-tamper and detections requirements.

Concerns from last year regarding the component certification and solution registration process carried over into this year. While acknowledging the community’s concerns, NIAP stood firm on the program’s two-year certification period, stating their need to frequently reevaluate products to avoid potential security risks and stay aligned with evolving protection profiles. They did not directly address the exhaustive time and cost concerns brought forward by many attendees.

To complement the NSA program updates, experts from industry leaders Mercury, Tribalco, Star Lab, Raytheon, and PacStar presented new solutions in secure mobility and at the tactical edge with future uses cases for side channel attacks countermeasures. Trusted integrators and end users also gained insight on a welcome and needed addition for DAR solutions. The first Linux-based file and full disk encryption software, the Titanium Security Suite from Star Lab, will be CSfC-listed in quarter 1 of 2020. The first secure mobile device was introduced by Tribalco with their partners Bittium and Cogs Systems. The Bittium Tough Mobile 2 with dedicated security circuitry with Cog Systems D4 Secure platform provide both DAR and DIT solutions while leveraging advanced anti-tamper techniques proven effective in a video demonstration. PacStar’s secure wireless command post and integrated mobile gateway provide turnkey solutions that reduce complexity for the warfighter while offering secure and reliable communications at the tactical edge.

System security engineering (SSE) including anti-tamper was a hot topic discussed throughout the day, which is in line with the direction of DAR CP version 5.0 due out next year. While it is not a current CSfC requirement, component suppliers and trusted integrators expressed the importance of SSE and shared how their companies are combatting the exploitation of mission-critical information, technology, components and functions by our adversaries. Raytheon Space and Airborne Systems, a recently-listed trusted integrator, detailed their program protection framework including SSE and anti-tamper and the intersection with CSfC solution development. Mercury Systems explored the notion that advanced countermeasures for side-channel attacks are proven more effective in hardware than in software. This laid the groundwork for the first hardware-hardware DAR solution with anti-tamper capabilities.

As adversarial skills continue to advance, security solutions must be agile and constantly evolve to counter new threats. CSfC events like this foster the innovation these solutions require by bringing the ecosystem system together and building relationships between industry leaders and the government agencies responsible for creating the programs that protect our nation’s most sensitive data.

In closing, if you want a seamless component certification or solution registration process, a little piece of advice learned at the event: never, ever capitalize the “f” in CSfC. Denoting the program as CSFC is a major pet peeve of the agency.

To learn more about this event or CSfC, please visit the CSfC website or email csfc@mrcy.com.