The need for CSfC – a Q&A

Avatar_NewDog Ruckus Networks May 3, 2019

Commercial Solutions for Classified (CSfC) is an important part of the government’s commercial cybersecurity strategy. CSfC is designed to deliver secure cybersecurity solutions quickly, by leveraging commercial technologies. It is founded on the principle that properly configured, layered solutions can provide effective protection of classified data in a variety of different applications.

We connected with Joe Rizo, Principal System Engineer at Ruckus Networks, to better understand the importance of CSfC.


Can you please briefly give some detail around CSfC for our readers?

Commercial Solutions for Classified is a program for acquiring Commercial-off-the-Shelf (COTS) product solutions that are managed by the Information Assurance Directorate (IAD) of the National Security Agency (NSA). This program establishes a process for using CSfC certified products on National Security Systems (NSS).

The program requires that CSfC solutions be deployed in a layered fashion. What this means is that classified data is subjected to multiple layers of encryption, thereby making it increasingly more difficult for an attacker to penetrate those layers and get to the NSS data.

Why did the NSA move to a COTS-based solution?

The Committee on National Security Systems Policy (CNSSP) # 11 specifically established a preference for COTS products for NSS use, noting that:

“Layered COTS [commercial off-the-shelf] product solutions (e.g., selecting two or more IA and IA-enabled IT products) are preferred for use to protect information on NSS when these solutions are available and satisfy an organization’s requirements.”

For those that operate and maintain legacy Information Assurance (IA) products on the NSS, the advantage is obvious. These legacy systems are mostly proprietary. This means the processes for acquisition are lengthy, the operations are both complicated and cumbersome and the maintenance is expensive.

When a customer moves to a COTS-based system all of these issues go away, significantly improving their ability to meet and adapt to ever-changing cybersecurity threats and mission requirements. 

What advantages do these newer solutions bring to the table?

The first and most obvious is choice. With COTS systems the customer is able to decide which product solutions meet their specific requirements and then choose that product. They don’t have to make the mission requirements fit into the limitations of the legacy system.

The second is simplified operations. The vendors on the CSfC approved products list are well known to the customer. Companies such as Cisco, Fortinet, Juniper and of course, Ruckus offer certified solutions. These are all well-known and trusted infrastructure vendors. This provides the customer with a large pool of support personnel to choose from. And CSfC makes the operations of these solutions simpler and less costly.

The third and most important advantage is avoiding vendor lock. When the customer deploys a CSfC solution they have the choice to change out the solution if the mission requirements change. The products on the CSfC list all use open standard protocols, making them fully interoperable and interchangeable.

Where does Ruckus Networks technology fit in?

Ruckus’ technology fits in nicely. With our ICX 7450 switch and the IPsec service module, the Ruckus solution is very versatile in its deployment.

As an inner tunnel CSfC solution, the Ruckus ICX 7450 can provide up to 48 10/100/1000 PoE+ interfaces for client device aggregation and 10Gbps of encryption. You can uplink using 1Gb small form-factor pluggable (SFP), 10Gb SFP+ or 40G QSFP interfaces.

As the outer tunnel CSfC solution, we can provide up to 48 1Gb SFP interfaces to downlink switches, again with 10 Gbps of encryption. Regardless of the deployment method the ICX 7450 has the capability to stack up to 12 switches AND deploy two IPsec service modules in the stack for redundancy.

In addition to the physical capabilities of the ICX 7450 it also provides the customer with a large selection of protocol features to use – open shortest path first (OSPF), Border Gateway Protocol (BGP), virtual routing and forwarding (VRFs), and virtual local area networks (VLANs), among others. 

How many approved providers of CSfC are there?  

There are many certified CSfC products on the CSfC Components List. All of these products went through rigorous testing before they were approved. This is the beauty of the program – choice! Not every product does everything, but there are a sufficient number of choices so that any cybersecurity mission requirement can be met.

With so many choices how can the IAD ensure that these systems are deployed properly?

They actually have that part covered through working with the commercial sector. By requiring that CSfC solutions be deployed through CSfC approved integrators, the IAD ensures that CSfC solutions are only deployed in a manner that meets the program requirements.

In the near future (say 18 months), what developments do you see happening re CSfC?

I see implementation getting simpler as the program goes on. I also predict that high-speed WAN encryption (1G – 100G+) will continue to evolve, making CSfC faster and more efficient.

Find out more on CSfC and the IPsec module here.

About the Author


Ruckus Networks