The NSA’s core function is gather and analyze data. But the NSA is also expected to secure and protect sensitive information, and as part of that role NSA security experts have launched a program to integrate more commercial off-the-shelf products.
The benefits could be twofold: First, by moving from Government-Off-The-Shelf (GOTS) to Commercial-Off-The-Shelf (COTS), the NSA hopes to save money, while at the same time improve its security posture. Second, commercial products that pass NSA muster can also be used by enterprise IT, so the program could end up raising the security bar for everyone.
Clint McKay, technical director in the NSA’s Information Assurance Directorate (IAD) is developing the Commercial Solutions for Classified (CSfC) program. “The CSfC enables commercial products to be used in layered solutions protecting classified NSS data (National Security Systems). We provide the ability to communicate securely using commercial standards and solutions. In doing so we keep pace with the rapid rate of change in IT, something that is very difficult to do when using traditional GOTS solutions.”
Traditionally, the intelligence and military communities have relied heavily on GOTS products because they can be specially created or modified to protect sensitive or classified information. The problem is that creating GOTS products typically takes much longer and costs more than COTS. Plus, these products are often feature-poor compared to COTS versions.
+ ALSO ON NETWORK WORLD: INSIDE THE NSA’S PRIVATE CLOUD +
McKay believes that progress in the CSfC program could address needs in commercial or other non-governmental agencies. He says, “The intelligence community needs secure access to data at the point of need like the private sector does; a warfighter needs access to intelligence information while denying hostile combatants access to that same information. The banking industry needs access to financial information while denying cybercrooks access. The same goes for healthcare, law, or business in general. So, yes, we are looking to address a lot of the same problems.”
What drove the need for the CSfC?
The NSA saw the need for information assurance increasing, but found that GOTS solutions could not keep up. McKay says, “In a lot of cases, the commercial industry already had products that addressed our customers’ needs.” The customers he is referring to are the NSA’s own offices as well as the rest of the federal government that ostensibly follows the guidelines for security defined by the agency. That includes all 17 organizations that make up the intelligence community (IC), the various military components, and everything else, including the White House.
He adds, “If we could engage those vendors early in the design and the development phase, and if they were to build security into their products rather than bolt it on later, we could use commercial products to solve the same problems that in the past we relied strictly on GOTS solutions for.”
Who’s on the list?
Vendors with products that have made the CSfC list include Aruba, Boeing, Cisco, MobileIron, AirWatch, Juniper, Microsoft, and Samsung. It is important to note that, once approved, it is not the product alone; it is an approved system of systems involving that commercial component.
McKay explains that “the CSfC program leans fairly heavily on the National Information Assurance Partnership (NIAP) to validate the goodness of components used in CSfC solutions.” Indeed, while NIAP serves a much broader set of customers than just CSfC customers, it clearly serves as a kind of filter for the NSA. For the NSA’s CSfC Program to even consider a product, it must be NIAP certified or have made a commitment (CSfC MoA) to obtain NIAP certification by a deadline that generally ranges between one and 12 months.
Any vendor that is willing to pass the approved NIAP protection profile, to do the FIPS certification, who has the business processes in place to fix vulnerabilities and will sign a memorandum of agreement with the NSA is eligible to be on the CSfC list. Neither the vendor company itself nor any staff member of that company needs a security clearance.
The mandate of NIAP is to do the information assurance testing for the U.S. Government and to oversee Common Criteria evaluations conducted in the U.S. under the Common Criteria Recognition Arrangement (CCRA). For a vendor to complete a NIAP evaluation, they must utilize the relevant protection profiles. For example, for a VPN gateway, that would mean the Network Device Protection Profile together with the VPN gateway extension. A mobile platform would use NIAP’s Mobile Device Fundamentals Protection Profile.
It is important to note that the CSfC program goes a bit further because the IC must do more than just protect sensitive unclassified data; it must protect data all the way up to the level of secret and top secret and as such some selections that are optional in the baseline NIAP profile are mandatory for inclusion in the CSfC.
CSfC goes mobile
Perhaps the best example of an area that calls for enhanced security is mobility. Lonny Anderson, the NSA’s CIO, said in a recent interview with Network World that the agency did not want their staff to “leave more technology in their car than they would have at their desks”. It may well be that the problem is on the way to being solved, at least by smartphone manufacturers that incorporate NIAP’s Mobile Device Fundamentals Protection Profile.
One aspect has to do with protecting “data-at-rest” and adding protection for “sensitive data”, as explained in the profile. For instance, it states that “data and keys that have been marked as sensitive will be subject to certain restrictions (through other requirements) in both the locked and unlocked states of the mobile device. This mechanism allows an application to choose those data and keys under its control to be subject to those requirements.” Considering that a 2013 Pew Research Center survey revealed that 60% of smartphone users access the Internet using their phones instead of other devices, protecting sensitive data (such as bank account login information) for the private sector is increasingly critical.
+ RELATED: NSA approves Samsung and Boeing mobile devices for employee use +
The CSfC program has already impacted the private sector. One example is that more commercial products now implement Suite B cryptography. Suite B cryptographic algorithms are specified by NIST and include encryption, key exchange, digital signature, and hashing. For example, CSfC might call for Diffie-Hellman using NIST Curves P-256 and P-384. The CSfC program is looking for vendors to enable mobile devices to generate a device-wide sensitive data asymmetric pair (the private key of which is protected by a password-derived key encryption key or KEK) and an asymmetric pair for the received sensitive data to be stored.
To store sensitive data, the device-wide public key and data private key would generate a shared secret which can be used as a KEK or a data encryption key or DEK). The data private key and shared secret would be cleared after the data is encrypted and the data public key is stored. Thus, no key material is available in the locked state to decrypt the newly stored data. Upon unlock, the device-wide private key would be decrypted and used with each data public key to regenerate the shared secret and decrypt the stored data.
Safe buying tips
When asked what McKay would do if he were a CIO or network admin sourcing products in the private sector, he said, “I might not need to go as far as CSfC-compliant offerings. Simply shopping from the NIAP-approved product compliant list goes a long way to ensuring a more secure solution” (it also has more than 2,000 products listed versus little more than 200 on the CSfC list).
However, he stressed that “I would make sure that my system administrators availed themselves of the security features built into those products because at the end of the day if a product is secure but you don’t avail yourself of those features built in you’re really missing the boat.”
Dirk Smith is a freelance writer. He can be reached at dirk@landfallresearch.com.
This story, "How the NSA is improving security for everyone" was originally published by Network World.