Test Your Knowledge – Do you know the risks and benefits of CSfC?

Incorrect
There are many differences between the two solutions that affect their operational security, utility, lifecycle logistics and maintenance costs. There is a significant difference in risk management.

Correct!
There are many differences between the two solutions that affect their operational security, utility, lifecycle logistics and maintenance costs. There is a significant difference in risk management.

Incorrect
CSfC solutions require at least two independent layers of approved products from the CSfC APL designed together by a Trusted Integrator according to NSA specified Capability Packages. This process can take several months to design and even longer to register the solution for a specific application. Type 1 solutions are single, certified products developed with high assurance standards, are NSA certified for broad use and can be purchased off standard contract vehicles or direct from manufacturers.

Correct!
CSfC solutions require at least two independent layers of approved products from the CSfC APL designed together by a Trusted Integrator according to NSA specified Capability Packages. This process can take several months to design and even longer to register the solution for a specific application. Type 1 solutions are single, certified products developed with high assurance standards, are NSA certified for broad use and can be purchased off standard contract vehicles or direct from manufacturers.

Nice try.
There are two types of Type 1 products – Controlled Cryptographic Items (CCI) and Cryptographic High Value Products (CHVP). CCI equipment demands strict handling requirements. CHVP products incorporate only unclassified cryptographic Commercial National Security Algorithms (CNSA) to protect information classified Secret and below and follow a less restrictive handling policy (CNSSI 4031). Due to the ability to handle the crypto in a manner similar to IT equipment, CHVP products are ideal for unmanned, leave behind and high-risk environments. CSfC handling requirements are defined per the Capability Package and mandate that the equipment must be protected at the same classification level as the information being handled.

Nice job!
There are two types of Type 1 products – Controlled Cryptographic Items (CCI) and Cryptographic High Value Products (CHVP). CCI equipment demands strict handling requirements. CHVP products incorporate only unclassified cryptographic Commercial National Security Algorithms (CNSA) to protect information classified Secret and below and follow a less restrictive handling policy (CNSSI 4031). Due to the ability to handle the crypto in a manner similar to IT equipment, CHVP products are ideal for unmanned, leave behind and high-risk environments. CSfC handling requirements are defined per the Capability Package and mandate that the equipment must be protected at the same classification level as the information being handled.

You got it!
While Type 1 solutions generally have a competitive procurement cost, they have a lower lifecycle cost due to less required maintenance and one, centralized customer support system. Conversely, CSfC solutions tend to have a lower individual component cost initially at the expense of higher, layered solution costs throughout the lifecycle due to regular maintenance, annual software maintenance licenses, re-registration and de-centralized customer support for each component.

Not quite.
While Type 1 solutions generally have a competitive procurement cost, they have a lower lifecycle cost due to less required maintenance and one, centralized customer support system. Conversely, CSfC solutions tend to have a lower individual component cost initially at the expense of higher, layered solution costs throughout the lifecycle due to regular maintenance, annual software maintenance licenses, re-registration and de-centralized customer support for each component.

Correct!
CSfC is a process rather than a certification, which means the organization’s Authorizing Officer (AO) is responsible for registering the solution, risk ownership, configuration management and maintenance of the solution. The AO must stay up to date with the latest Capability Packages and re-accreditation of the CSfC solution components. In contrast, a Type 1 solution is certified by the NSA, which means the product is developed using established NSA processes and algorithms and is verified by the NSA that it meets all applicable security and interoperability standards to protect sensitive data.

Incorrect.
CSfC is a process rather than a certification, which means the organization’s Authorizing Officer (AO) is responsible for registering the solution, risk ownership, configuration management and maintenance of the solution. The AO must stay up to date with the latest Capability Packages and re-accreditation of the CSfC solution components. In contrast, a Type 1 solution is certified by the NSA, which means the product is developed using established NSA processes and algorithms and is verified by the NSA that it meets all applicable security and interoperability standards to protect sensitive data.

Not quite.
The high standards applied to Type 1 solutions are not limited to the primary vendor – the entire supply chain for that solution must be trusted and verified. This provides a higher degree of protection across its entire development. Conversely, CSfC solutions are composed of layered commercial products derived from an unverified supply chain.

You’re right!
The high standards applied to Type 1 solutions are not limited to the primary vendor – the entire supply chain for that solution must be trusted and verified. This provides a higher degree of protection across its entire development. Conversely, CSfC solutions are composed of layered commercial products derived from an unverified supply chain.

Nice try.
While Type 1 solutions require minimal maintenance during the solutions lifecycle, CSfC solutions generally require regular maintenance to address IA vulnerability alerts, key, Capability Package updates and re-registration.

Nice job!
While Type 1 solutions require minimal maintenance during the solutions lifecycle, CSfC solutions generally require regular maintenance to address IA vulnerability alerts, key, Capability Package updates and re-registration.

You got it!
CSfC solutions mandate an annual reaccreditation against the most recent Capability Packages. Conversely, Type 1 products are NSA certified and subsequently do not need to be reaccredited on a yearly basis. The NSA certification approves Type 1 devices for a wide variety of use cases and applications while removing the assumed cyber security risk from the organization’s Authorizing Officer (AO).

Not quite.
CSfC solutions mandate an annual reaccreditation against the most recent Capability Packages. Conversely, Type 1 products are NSA certified and subsequently do not need to be reaccredited on a yearly basis. The NSA certification approves Type 1 devices for a wide variety of use cases and applications while removing the assumed cyber security risk from the organization’s Authorizing Officer (AO).

Correct!
High assurance Type 1 solutions typically offer more robust warranty coverage (typically 3-5 years including hardware and software) and include a central 24/7 help desk support system with options for additional maintenance coverage. Commercial products typically include less than 1 year of warranty and charge for customer care packages and surcharge for 24/7 technical support. Since CSfC solutions are comprised of at least 2 products from different vendors and composed by a Trusted Integrator, they are not supported by a single, centralized customer support ecosystem (help desk, device management and key management systems are decentralized).

Incorrect.
High assurance Type 1 solutions typically offer more robust warranty coverage (typically 3-5 years including hardware and software) and include a central 24/7 help desk support system with options for additional maintenance coverage. Commercial products typically include less than 1 year of warranty and charge for customer care packages and surcharge for 24/7 technical support. Since CSfC solutions are comprised of at least 2 products from different vendors and composed by a Trusted Integrator, they are not supported by a single, centralized customer support ecosystem (help desk, device management and key management systems are decentralized).

You got it!
Type 1 solutions are designed for mission requirements, which often include embedment in SWAP restricted platforms and rugged environments to ensure product reliability and performance when it matters most. Because the CSfC solutions concept of multiple layers of equipment provides redundant security, it also adds Size, Weight, Power and Cost (SWAP-C) to the total initial purchase. This type of solution also adds post-installation maintenance and labor costs to remain compliant.

Nice try.
Type 1 solutions are designed for mission requirements, which often include embedment in SWAP restricted platforms and rugged environments to ensure product reliability and performance when it matters most. Because the CSfC solutions concept of multiple layers of equipment provides redundant security, it also adds Size, Weight, Power and Cost (SWAP-C) to the total initial purchase. This type of solution also adds post-installation maintenance and labor costs to remain compliant.

Correct!
Click here for more information on our C-Series CHVP encryptors.

Not quite.
Click here for more information on our C-Series CHVP encryptors.