CommScope raises the bar for protection of classified data

Defense, intelligence, and civilian agencies need rapid access to the latest technologies to protect highly classified data and achieve mission objectives. That’s why the Commercial Solutions for Classified (CSfC) program is so important to ensuring protection of data up to Top Secret.

Defense, intelligence, and federal civilian agencies need rapid access to the latest technologies to protect highly classified data and achieve mission objectives.

Historically, the Department of Defense (DoD) used what are referred to as Type 1 encryption devices to protect classified data being transmitted.  These devices are expensive to develop and maintain, and also require armed couriers when transported overseas because they are at risk of being compromised.

To provide a more flexible and less expensive option to protecting classified information, the National Security Agency (NSA) developed the Commercial Solutions for Classified (CSfC) program.  This allows certified, commercial products to be employed in a layered solution to provide protection of data up to Top Secret. 

CLICK TO TWEET:  CommScope raises the bar for protection of classified data

How a CSfC Layered Network Solution Works

The concept involves using an encrypted tunnel that is subsequently encrypted via another tunnel.  The tunnel endpoints determine where security boundaries are located.  Both tunnels terminate on the end user device ensuring that the classified data is double encrypted as soon as it leaves that device.  The portion of the network where the data is double encrypted is called the Black Network.  The data is considered fully protected on the Black Network which may be exposed to external parties.  The Gray Network is the portion where the data is only encrypted once.  This part of the network is either under physical control of the solution owner or a trusted third party.  Once the data is completely decrypted, it is once again fully classified and on the Red Network (whatever classification that may be). See this this NSA Wireless Local Area Network Capability Package document for more details.

Data-plane-rev

RUCKUS and CSfC

Most people familiar with the RUCKUS product line are aware that we’ve had a site-to-site CSfC solution in the ICX 7450 access switches. This solution – which  is compliant with the CSfC Multi-Site Connectivity Capability Package – is able to provide one of the tunnels statically between two points; for example, from a base to a remote post that is only connected via commercial lines.

RUCKUS access points (APs) have recently become certified under the CSfC Campus WLAN Capability Package.  This package allows the Wi-Fi encryption, WPA2 or WPA3, to provide part encryption for the outer tunnel.  This outer tunnel can be extended from the AP uplink to a data plane (DP) using IPSEC encryption.  That said, there is still a need for an inside tunnel provided by a VPN client on the user device to the VPN Gateway at the edge of the classified enclave. 

The below illustration provides an overview of what this solution looks like in an agency environment.  The Data Plane (DP) at HQ (or a data center) would terminate tunnels from thousands of remote APs.  DP devices can be clustered for redundancy (or even further capacity) with up to 10 DPs managed per SmartZone (SZ) instance. 

CSfC graphic for blog (002)

One handy feature of this architecture is that the outer tunnel does not require anything installed on the user device (yes, you still need that inner tunnel which requires some software to be installed).  The Wi-Fi client is already there and the AP (at the direction of SmartZone) manages the encryption from the user device wireless interface all the way back to the DP.  The APs can easily be pre-provisioned by simply connecting them to the network so that they can be imported into the SmartZone server management zones.  If the APs need to be drop shipped without configuration, the organization can upload their device information into the RUCKUS registrar site where it can be used to ensure the shipped AP finds the SmartZone controller. 

What’s Next?

For government customers looking to deploy CSfC to remote sites or home users that need to telework at a classified level, seek out a CSfC Trusted Integrator who is authorized to design and approve such solutions.  CommScope is working with several Trusted Integrators to help equip them with the information needed to deploy our products as part of a CSfC solution.