Government agencies that handle classified and other sensitive information were once burdened with using cumbersome wired networks and expensive custom hardware and software solutions. But in the current environment of increasing technology and decreasing budgets, now more than ever, government agencies — including the Department of Defense and intelligence agencies dealing with classified information — are being asked to embrace commercial technology, including smartphones and wireless networks, for sensitive and classified communications.
The National Security Agency’s Commercial Solutions for Classified (CSfC) program allows government agencies to safely use wireless networks and commodity hardware to handle classified communications. The CSfC program supports secure communications based on commercial standards and commercial products, leveraging the rapid technology evolution of the commercial communications segment. By enabling secure communications using commercial products in layered solutions, CSfC offers the security federal agencies need to protect classified data at substantially lower cost, with greater functionality and more immediate availability than in traditional approaches to classified communications.
But even with the CSfC program in place, the adoption of commercial end-user devices (EUDs) on classified networks involves complex manual provisioning and extensive per-application certification requirements. This makes deployment difficult, slow and, even more concerning, prone to errors. However, by implementing the advancements in three emerging technology areas, agencies can deliver seamless, secure and reliable connectivity to meet demanding mission needs.
Streamlined CSfC deployment of mobile user apps
The NSA provides capability packages that specify minimum product and configuration requirements for mobile access, campus wireless LAN, multi-site connectivity and data-at-rest solutions. Using the Mobile Access Capability Package (MACP), agencies select National Information Assurance Partnership (NIAP)-approved, commercial products and configure them to protect classified data in transit, delivering truly mobile secure communications. While modern smartphone technology provides access to millions of diverse applications, the MACP requires testing and NIAP approval for each solution (app) that uses transport layer security (TLS) as a component of the MACP solution. This process is time-consuming and expensive because each app, including government off-the-shelf apps, must secure approval for its own transport security.
A recent addition to the CSfC-approved components list is a TLS software application that provides a NIAP-approved, shared TLS implemented as a virtual private network (VPN) that is usable by multiple, diverse services, including multicast and data-intensive applications, such as voice and video streaming apps. The shared TLS VPN is not limited to use by specific applications, allowing multiple applications to be added or updated without requiring NIAP approval or CSfC re-registration. Leveraging this common TLS component eliminates the need for each app to implement and certify its own TLS, enabling quick deployment of mission-essential apps without expensive, lengthy per-app certification.
Provisioning EUDs to accurately meet the strict security requirements of the NSA and CSfC program via manual, non-automated methods is both time-consuming and fraught with risks of error by administrators and users. Secure, automated techniques have been developed that can provision a device — automatically, out-of-the-box — to easily be used by war fighters without incurring those risks.
Automation reduces per-device setup time from hours to minutes and it prevents configuration errors. Automated provisioning and configuration tools allow fast, secure brigade-level deployments and can install monitoring and troubleshooting tools designed to be user-friendly for end users. So for the DoD or intelligence agency end user, continued smooth operation is assured by tools that monitor for authentication certificate expiration notices, and automatically requests and installs updated certificates over the air and without user involvement.
Flexible and advanced networking capability
In sparse, underdeveloped and contested environments, delivering the required level of service assurance to mobile war fighters is challenging. Sub-optimal performance during marginal connectivity periods jeopardizes mission operations with delays, outages and dropped sessions. These performance issues don’t just hinder communications, they potentially risk the entire mission and put lives in danger. Advances in secure mobile networking, including methods for seamless hand-off that leverage multiple underlying radio networks and secure multicast, are increasingly available to meet these challenges.
Leveraging persistent IP addressing, machine learning and autonomous networking, new solutions for mobility management can proactively forecast network discontinuities, then automatically establish alternate or parallel secure network paths, and transfer existing secure sessions before the existing pathways degrade to unusable levels. Advanced mobility management solutions can be customized for specific deployment needs and provide mobile war fighters with access to secure, reliable communications even in challenging and highly dynamic environments.
Widespread adoption of mobile access CSfC solutions will deliver secure mobility in a familiar, easily carried device, while taking advantage of the latest technology and lower price points of commercial products and providing substantial value in tactical deployments. The resulting mobile devices can be easily used by war fighters in the field, without specialized communications security or IT training.
It’s time for agencies to embrace using commercial solutions as they need these tools and technologies to effectively support mobile environments and ensure seamless mission operations.
Eric Jung is CSfC program director at Perspecta Labs, the applied research arm of Perspecta.