Welcome to the Acumen Security Blog

Real world impact of CSfC

Couple of weeks back I had the pleasure of attending the IAS 2015 symposium hosted by IAD. It was my first time attending this symposium and it was interesting to interface with the end user community who procure and use, on a daily basis, the products we certify. We as evaluators do not get exposure to this aspect of certification business and it was definitely an eye opener. For example, I had a great conversation with a gentleman from NORAD who was concerned about the “new” PP based approach to certification and I *think* I was able to convince him why this approach is better than the old way of doing CC evals. I also had the pleasure of participating on a panel with other friends from industry regarding the Technical Community approach to creating PPs. However I digress.

One of the main focus of this symposium was Commercial Solutions for Classified program. If you are not aware of it, CSfC is a newish program from IAD which opens up classified networks to commercial vendors and products. It leverages Common Criteria to ensure product security and creates what are called capability packages for standard deployment scenarios. In any case, one of the panel I attended was “CSfC: What do Customers Really Say?”. On the panel were representatives from White House Communication Agency, Southern Command, Pacific Command etc. These were folks who are responsible for deploying communication infrastructure for their respective commands and ensuring comms sec. So they were the classical end users who until now were deploying classified infrastructure with GOTS products but now are deploying COTS products that have passed CC and CSfC certification. A real world example given by the Major representing Southern Command was telling and instructive on how CSfC has changed the ballgame for them. The Major was in Columbia deploying networks as part of US engagement in the country. When he started this process he had to deploy GOTS products which had significant red tape involved especially since the network had to be interoperable with the Colombian armed forces. He ran through some 30+ approvals that needed to be received before he could even being the deployment! And all of this was for a forward deployed base directly affecting the warfighter! It was impossible to get these approvals in a timely, mission critical manner. So what he had was a Frankenstein network that was pretty much unusable. Then in came CSfC which changed everything. Since what he was deploying now was essentially commercial technology the number of approvals shrank significantly and he was able to deploy a robust, usable network with top grade comm sec in short order. Stories such as these were repeated across the panel!
This is when I realized the real world impact of the work we do. Usually certifications is looked as a burden both by product vendors and end users. But in this case it clearly helped solve a real world problem and clearly show the usefulness of the CSfC (and in turn the CC) program.