- Cryptographic Key Management for the Cloud
- Encryption Solutions for the Cloud
- Virtual Network Encryption
The Commercial Solutions for Classified (CSfC) Program is a process that enables commercial products to be used in layered solutions to protect classified information while speeding up the deployment timeline so that a solution can be fielded in months, versus years. The program was designed to allow use of multiple unclassified commercial off the shelf (COTS) products instead of classified Type 1 Government accredited products to secure classified data within Government deployments.
CSfC Capability Packages require CSfC-approved components, however there are no component categories or Protection Profiles (PP) specified for hardware security modules or key managers, like those offered by SafeNet Assured Technologies (SafeNet AT). Many of SafeNet AT’s products can address several requirements found in various PPs (i.e. PP for Certification Authority) to support a deployment that can become CSfC-approved.
SafeNet AT’s encryption and data protection portfolio can be used to support layered solutions that increase cyber resiliency. The NSA’s CSfC program office has established several Capability Packages to provide DoD and government agencies with specific technical architectures and well-documented approaches to protect data in transit and data at rest.
Since a PP for HSMs does not exist, SafeNet AT’s Hardware Security Modules (HSMs) are not CSfC approved. However, SafeNet AT’s HSMs are officially approved for use in National Security Systems. The Memorandum for The National Security Systems Public Key Infrastructure Member Governing Body Document, CNSS-063-2017, was issued in January 2018 and explicitly approves the SafeNet AT’s Luna SA HSM as an approved Hardware Security Module for the National Security Systems Public Key Infrastructure. When the CSfC program creates an HSM Component category and develops a corresponding PP, SafeNet AT HSMs will be submitted for approval.
While there are no PPs for HSMs, several Capability Packages make reference to a Public Key Infrastructure (PKI) or using an HSM. Many customers have used SafeNet AT’s Luna SA HSM to meet the full intent of their designated PP. SafeNet AT’s HSMs can fit into all available CSfC capability packages if they are deployed using an online Certificate Authority (CA). This is typically the case for a true enterprise PKI solution. Tactical deployments make use of off-line CAs and therefore, do not require (per CSfC policy) the use of an HSM in their system although it is still considered a best security practice to use an HSM to protect the keys of off-line CAs.
There are no explicit requirements for an HSM in the Data at Rest capability package, however it calls out some standard key management requirements. Incorporating the use of the SafeNet AT HSM will enhance the overall security posture of the solution.
There is not a PP applicable to SafeNet AT High Speed Encryptors (HSE) so they are not CSfC approved. The only approved PP for network encryption at Layer 2 is for a network device that implements Media Access Control Security (MACsec) encryption.
MACsec is a standard that was designed to encrypt Local Area Networks. It is increasingly built into third-party switches or routers, and is built into the ASICs (or silicon) of many of those devices. MACSec is generally very low cost or even free with some devices, and it has adequate performance due to its use of hardware encryption.
However, there are several practical problems with MACSec. From a standards perspective, MACSec is not ideal for many carrier links because of the encrypted frame format and key management messages. MACSec is also not suitable for multipoint topologies and does not provide the high assurance features that the SafeNet AT HSE product family offers:
By contrast, HSE uses a carrier agnostic key management and encryption method based on formal IEEE recognized key management frames that means HSEs can work across all carrier environments. HSEs are field upgradable, support built-in crypto-agility and have higher performance than MACsec solutions.
While CSfC targets P2P deployments, SafeNet AT’s HSE offering provides an overall more secure and robust network encryption solution to meet the needs of our Federal customers.
There is not a PP applicable to SafeNet AT KeySecure for Government (KeySecure), so they are not CSfC approved. In fact, CSfC currently has no notion of centralized key management. However, SafeNet AT’s KeySecure appliance greatly simplifies the ability to manage, store and secure cryptographic keys. It also facilitates near-instant and cryptographically secure full disk erasure. These capabilities allow for strong key management in support of various CSfC models.