Sponsored: NSA Type 1 Products vs. Commercial Solutions for Classified (CSfC)
For decades, Type 1 has been the National Security Agency’s most prized cybersecurity designation, describing technology that can effectively keep the nation’s most classified information under lock and key.
Recent years, however, have seen the growth of NSA’s Commercial Solutions for Classified (CSfC) program, which offers an alternative to Type 1 products.
With these two competing options, it is important to understand what the difference between Type 1 and CSfC really is and which one is best for your use case.
Below, we’ll discuss everything you need to know about both NSA Type 1 and the CSfC program.
What Is NSA Type 1 Equipment?
The U.S. federal government controls vast quantities of classified information, ranging from Confidential to Secret and Top Secret.
In order to constantly maintain a high level of IT security, the U.S. has established in-depth requirements for how this data can move over electronic systems and networks.
More specifically, NSA defines a Type 1 product as “cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed.”
The term “Type 1” also refers to any cryptographic algorithm (or “Suite,” as NSA refers to them) that has been approved by NSA for use within Type 1 equipment.
Examples of Type 1 cryptography include 256-bit AES (Advanced Encryption Standard)—which falls under NSA Suite B—as well as the classified SAVILLE voice encryption algorithm.
One example of NSA Type 1 equipment is a HAIPE (High Assurance Internet Protocol Encryptor), which is a device that protects network traffic with NSA Type 1 encryption. The general term COMSEC (communications security) material is also often used to refer to Type 1 cryptographic hardware and keys.
NSA devotes tens of millions of dollars per year out of its “black budget” in order to develop Type 1 equipment. As such, Type 1 devices come with extremely strict requirements for use and protection.
Because Type 1 appliances are themselves considered classified, they must be accompanied and guarded at all times. Users also need to obey regulations when securing and storing Type 1 devices, and losing Type 1 equipment can have serious consequences, up to and including criminal prosecution.
What Is CSfC?
Type 1 equipment is generally considered to be highly effective and secure. However, there’s one major problem: Type 1 security requirements are so stringent as to be often impractical. For example, users subject to Type 1 requirements may have to leave home and drive to the office in order to check their email.
The basic idea behind the CSfC program is “defense in depth” (DiD), a well-established concept in cybersecurity. By layering multiple commercial IT security solutions on top of each other, the risk that all of these solutions will fail is much lower than it would be when using a single solution.
Just think of how banks defend against robberies, combining a variety of security methods: cameras, security guards, panic buttons, and even dye packs and decoy money.
Similarly, combining IT security best practices like firewalls, intrusion detection systems (IDS), and encryption is much more likely to protect sensitive data than relying on a single solution.
One of the key requirements in CSfC is double encryption for data in transit and data at rest.
For example, NSA’s guidelines for multi-site connectivity require classified data packets to be encrypted twice before being sent over an untrusted network: first by an Inner Encryption Component, and then by an Outer Encryption Component.
This twice-encrypted data must then be decrypted twice after arriving at its destination.
What’s the Difference Between Type 1 and CSfC?
The technology within NSA Type 1 and CSfC is different, as are the manufacturers of this technology: the NSA itself or trusted systems integrators in the former case, and third-party commercial vendors in the latter.
However, the purpose of both is the same: helping the U.S. government to protect classified data.
It’s important to note that CSfC represents an alternative to Type 1 solutions, not a replacement for them as of yet.
According to the NSA CSfC handbook: “NSA CSfC has not replaced Type 1 solutions. Based on the client's needs, NSA will use the correct tool for the right job.”
Type 1 products are still widely in use across U.S. government agencies.
Rather than converting from Type 1 solutions to CSfC, the debate is more about selecting between Type 1 and CSfC for new initiatives and replacing the legacy Type 1 solutions as IT refreshes occur.
NSA itself is promoting CSfC, and these days Type 1 is seen as more of a legacy solution.
As the CSfC program has continued to grow, it has developed more clear-cut policies, making it easier for users to deploy these solutions in practice.
Advantages of CSfC
The advantages of CSfC include:
- No need for specialized training: Using Type 1 products requires advanced knowledge that you can’t develop overnight. CSfC, on the other hand, requires only knowledge of commercial technologies that already make up standard cybersecurity architectures, so in most cases, your team doesn’t have to go through special training to use them.
- Total cost of ownership (TCO): The upfront cost of CSfC is higher when compared with Type 1 solutions. But after several years, the TCO of CSfC decreases significantly, to the point where it becomes the much less expensive solution.
- Faster to start: Although it depends somewhat on the organization, it’s usually easier to get up and running with CSfC. This will only become truer as adoption of the CSfC program increases. Type 1 can sometimes be quicker, because it’s a known quantity for the “old guard” who have been in the field for decades, but this should change with greater awareness of CSfC.
- Higher technical flexibility: If you have limited options for backhaul on your Internet connection, CSfC is often the wiser choice as it enables you to use any common type of Internet connection, from satellite to 4G. Type 1, on the other hand, often limits you to certain satellite networks or dedicated Internet connections such as MPLS links, which can be very expensive.
- Less risk of ownership: Using CSfC products involves lower risk of ownership due to the less stringent security requirements and the use of commercial hardware. There’s no need to place all of the devices in a secure safe watched by guards 24/7, for example. This also means that CSfC is good for situations that are inherently higher-risk.
Thanks to its flexibility and ease of getting started, CSfC excels when it comes to any type of remote work, or any situation where you need to set up a temporary SOC (security operations center).
It’s also easy to imagine where CSfC would shine for future use cases such as drones, which can easily be shot down and lost to the enemy—in which case, you don’t want Type 1 equipment falling into the wrong hands.
Getting Started with CSfC
A proper implementation of CSfC requires at least half a dozen components from different vendors in which each component within your final product will need to be CSfC approved.
To simplify the process, NSA provides Capability Packages, which are reference architectures to be used as a starting point for building a CSfC solution.
Using a Capability Package greatly increases the odds that your final CSfC solution will receive NSA certification.
NSA currently provides the following Capability Packages:
- Mobile Access Capability Package
- Campus WLAN Capability Package
- Multi-Site Connectivity Capability Package
- Data at Rest Capability Package
If you’re daunted by the very prospect of getting started, NSA also provides a list of Trusted Integrators—third-party contractors who have met a strict set of criteria. These organizations can help you navigate the CSfC process, offering their assistance and technical expertise along the way.
If you’d prefer not to develop a solution in house, there are also a number of vendors that make CSfC kits.
After finding the right CSfC vendor and outlining your use case, you can remain fairly hands-off during the development process. Once this is complete, you can submit the final CSfC solution to NSA for approval.
To sum up: no matter your level of technical expertise or time commitment, a CSfC solution is within reach.
The Bottom Line
CSfC is a newer alternative for handling classified data that offers several advantages over legacy NSA Type 1 solutions, including less risk, and lower costs over the long haul.
As the CSfC program continues to evolve and mature, you can expect that the benefits of CSfC will only continue to increase.
If you’re deciding between Type 1 and CSfC for your own organization, we encourage you to check out CSfC for yourself—speak with an NSA Trusted Integrator or qualified CSfC vendor who can help you understand where to get started.