NSA goes commercial to harden networks

Following the Pentagon's lead, The National Security Agency is turning to commercial vendors as it implements a layered cyber defense in a bid to keep up with evolving threats.

Security analysts note the NSA effort dubbed Commercial Solutions for Classified (CSfC), seeks to reduce the time needed to certify secure architectures and devices from years to months or weeks. That goal also reflects broader U.S. efforts aimed at reforming a moribund government acquisition apparatus by adopting industry best practices and "lean startup" approaches.

The NSA cyber initiative also addresses criticism that federal agencies have been slow to address network vulnerabilities in the aftermath of a massive security breach last year at the Office of Personnel Management. In seeking commercial solutions for a proposed layered defense, NSA's Information Assurance Directorate said the goals of CSfC include "developing new ways to leverage emerging technologies to deliver more timely [information assurance] solutions for rapidly evolving customer requirements."

According to the program's website, product requirements are in place for virtual private networks, campus wireless LANs, "data at rest" solutions and mobile access. Project managers added they would continue to use equipment supplied by government contractors as well as commercial products to protect classified information. However, the new directive adds that NSA's Information Assurance Directorate (IAD) would "look first to commercial technology and commercial solutions in helping customers meet their needs for protecting classified information…."

Government systems have traditionally been developed using strict design criteria to protect sensitive and classified data. As cyber threats evolve and agencies brace for the next big security breach, the spy agency reckons that its current acquisition process remains time-consuming and unable to keep up with increasingly sophisticated attacks.

The NSA initiative is a "much needed response [to the] acceleration of cyber attacks," said James Scott, co-author of an analysis of the NSA initiative released this week by the Washington-based Institute for Critical Infrastructure Technology.

CSfC "serves to strengthen the national cyber-posture by enabling commercial solutions to be used in the layered solutions that protect national security systems information," the study noted.

"CSfC is designed to provide agencies with a list of components vetted against a common framework that satisfies NSA IAD’s security requirements while incorporating emerging technologies and improving national security."

The spy agency's commercial approach relies on a layered information security framework made up of "redundant, trusted components that are supplied by or included in approved commercial solutions," according to the study.

The layered defense approach differs from other security models that use multiple devices to protect networks, with each device performing a different security function. By contrast, the layering of commercial devices is intended to fulfill the same security functions as a way of meeting information assurance requirements for each security function.

The study also argues that layered cyber defenses are most effective when different components rely on a variety of algorithms, processors, protocols, platforms and configurations. Hence, the NSA effort is likely to mix and match commercial and contractor-supplied solutions as it seeks accelerate the process of hardening government networks.

Among other eligibility steps, potential vendors for the CSfC initiative must submit IT components to the NSA-managed National Information Assurance Partnership for security testing. Once approved, the component would be added to a CSfC component list.