Think about this – students currently making their way through high school and college have never known a world without laptops, smartphones, email and SMS communications, and instant access to the internet. Their world is mobile, and they expect to be able to access the information they want or need in seconds.
Contrast that with the day of a typical U.S. Department of Defense or Intelligence Community staff member working with classified information, where network access is only possible after passing through the secured doors of a concrete building, logging into a computer with a dedicated line, and having no access to any other information outside of the network while at work.
The two are worlds apart – and that’s a big problem when it comes to recruitment and retainment. On one side is the need to protect American citizens and data from cyber attackers looking to disrupt our way of life by keeping networks and access locked away in a building. On the other side is the best and brightest talent that will bring innovative solutions to our nation’s defense and security organizations who expect flexible remote access – and can easily find it in the private sector.
To maintain our status as a global world power and stay one step ahead of our adversaries, we are going to have to find a balance between the two. To do that, the way we work across the DoD and IC must change.
What is the Commercial Solutions for Classified program?
The Federal government understands the significance of remote access on meeting mission objectives now and in the future. Agency leaders are looking to the private sector for technology that helps them maintain the highest security levels while meeting the ease-of-access demands of today’s worker – and can be implemented quickly. To support this, the National Security Agency developed the Commercial Solutions for Classified (CSfC) program.
CSfC is based on the principle that properly configured and layered commercial IT solutions can provide sufficient protection of classified data in a variety of applications. Under CSfC, secure access to classified information is no longer tied to the hardwired computer sitting in a concrete building. Through an approved CSfC solution, people who need access to classified information can work anywhere.
To maintain strict security standards, NSA has published four solution-level Capability Packages under CSfC:
· Mobile Access
· Campus WLAN
· Multi-Site Connectivity
· Data at Rest
To take it a step further, through the National Information Assurance Partnership (NIAP), NSA works with government and industry technologists to develop and publish product-level security requirements that fall under each Capability Package.
Capability Package Use Cases
Innovative solutions are endless, but there are some immediate use cases that can be addressed by industry under the CSfC program. These include helping field agents gain access to classified networks so they don’t have to drive into a secure location to input investigative notes or to do research. Another is implementing wireless capabilities on DoD and IC campuses, allowing workers to bring their devices to different locations across the campus to do their job – or simply use their mobile devices to check in with their families while at work.
Making the Change
Implementing a CSfC solution enables top level security and flexible remote access. Here are a few things DoD and IC technology teams should consider when evaluating CSfC solutions:
“Good enough” with security protocols is not an option with the NSA. After all, we are talking about access to classified information and our national security. Educate your team to remain vigilant – no default passwords, no easy workarounds. Stay alert and always disciplined.
Make it Easy
Not all CSfC solutions are created equal. Agencies go down this path to improve the lives of their staff. Implementing solutions that are too complex can have unintended consequences – including, worst case, forcing employees to find an unsecure workaround. When implementing a CSfC solution, evaluate for ease of use.
Ensure it is Scalable
CSfC solutions are just like other enterprise IT solutions – you want them to scale as your agency and its needs grow.
Do Your Due Diligence
Research the options. DoD and IC agencies have the same goals. If a solution works for one team, consider how you can leverage similar capabilities.
Resist Going It Alone
When reviewing the Capabilities Package, there will be familiar elements that might lead to a temptation to build the CSfC solution in-house by piecing together the components. This is extremely difficult and very time consuming. CSfC is built on principles of layered security. Getting all of those layers right and retooling off-the-shelf solutions to meet the strict CSfC standards is hard to do.
To achieve the desired results in a timely and cost effective way, look to vendor partners who have experience with NSA security protocols and the CSfC Capability Packages. Balancing security and flexible access is achievable, and will directly support workforce recruitment, retention, effectiveness, and ultimately, mission outcomes.
Jimmy Sorrells is president, INTEGRITY Global Security, a DoD and IC community partner.
Have an opinion?
This article is an Op-Ed and as such, the opinions expressed are those of the authors. If you would like to respond, or have an editorial of your own you would like to submit, please email Military Times Senior Managing Editor Kent Miller.
Want more perspectives like this sent straight to you? Subscribe to get our Commentary & Opinion newsletter once a week.