Dylan Conner, CTO for ID Technologies and President of its Archon Division, recognizes the power and yet complexity of CSfC.  Bad actors are not bound by policy constraints and can take advantage of the latest technology.  In order for us to compete, we need to truly commercialize this technology making it more scalable and usable to mission-focused environments.

Dylan Conner will discuss the value and opportunities for automation across the solution stack for product ordering, management, provisioning, and Certificate renewal.  Dylan will likewise discuss ways to make the accreditation cycles shorter and last longer using open source technologies.

Episode Table of Contents

• [02:03] The Power of CSfC as a Commercial Solution for the Classified
• [06:25] A Much Broader Skillset
• [11:32] The Benefits of CSfC in Action
• [17:15] An End-To-End Solution Secured by the Power of CSfC
• [21:13] A Resurgence of Interest in the Power of CSfC
• About Our Guest

The Power of CSfC as a Commercial Solution for the Classified

Carolyn: Today we have Dylan Conner and he's the CTO for ID Technologies. Hey, good morning, Dylan.

Carolyn: Thanks for being here. So, I want to jump right in. We talked about discussing CSfC today.

Carolyn: What is that? How does a solution become CSfC? Considered to be CSfC? Talk to me like I'm your mom? Nope, don't do that.

Dylan: I'm very polite to my mom.

Eric: Dylan can kick us off, it's Commercial Solutions for Classified. It's an NSA initiative to better protect the DOD and the intelligence community and even the civilian government if they want to take advantage of some of the capability packages. So what is this then?

Dylan:  So as you stated already, the program is a Commercial Solutions for Classified. There are several capability packages which define ways to implement technology to allow a number of use cases. And there are basically two ways to use the platform.

Dylan: You can use it to send data or you can use it to store data. And those referred to as a data and rest and data at transit capability packages. As subgroups, you've got the ability to connect users to the enterprise, users to a wireless infrastructure, enterprise locations to each other in the site to site.

Dylan: And then you also have the ability to implement what's called a data at rest capability packages, which is useful if you want to be able to use your system when you're disconnected.

The Types of Use CSfC Is Built For

Carolyn: So what is the significance though of CSfC in general? Why wouldn't I just go to a company or develop my own solution? I guess I don't understand why this matters.

Dylan: So at a more basic level, there's basically two types of encryption there's type one, which is US government-controlled encryption, which is in common use today for the types of use that CSfC has been built for. And then there's type two, which is essentially everything else.

Dylan: And what the CSfC program has done is taken a selection of technologies involving different cryptographic algorithms, which is just a way to protect the data and created a reference architecture that's essentially just a guideline for using commercial products to secure information in a way that's equivalent to US-controlled encryption.

Dylan: And there's a couple of reasons you might want to do this. One is that US government-controlled encryption can't be shared with our partners. So if we're in a coalition mission space, it makes it very difficult to give partners access to US government networks.

Dylan: And the second is that there's very specific rules for handling and certifying Type One encryption devices, and that creates a significant burden on the US government. So we have to be certified to work on the gear. The user community that's qualified to work on the gear and operate it's much smaller.

Dylan: So when you use commercial solutions, your entire network engineer community of interest is able to assist in the delivery of these types of products.

The Power of CSfC to Implement Faster Government Solution

Eric: The bottom line is it's using instead of government off the shelf or government-created software, the NSA is trying to bring commercially available products to market or not to market but to bear to solve some problems in an accredited or certified manner that they know provides the level of security required. Is that fair?

Dylan: That's totally fair. I don't want to downplay the security efforts of the vendors in this space. Everyone who plays in the CSfC space takes security very seriously. And they spend a lot of money and time certifying their products against US government standards using US government guided technology implementations. There's a laundry list of efforts that the vendor community takes to certify products for use on this type of platform.

Carolyn: So if I'm a government agency, what I'm hearing is if I go with a CSfC certified or on the list, I can implement faster and I can share with people that I wouldn't necessarily be able to share with if I used a government solution?

Dylan: A government-owned solution, to a certain extent, that's true. Where you really get the benefit is the fact that the benefits of commercial innovation come to your market much faster. So as you can imagine government-owned and government-controlled security implementations change very slowly and that's with good reason. They're very cautious with good reason.

Dylan: The commercial world has got the entire weight of industry innovating all the time to bring different features to bear on the market. And those features become much more rapidly available to users of the technology when you implement the CSfC.

Eric: With a theoretically lower cost too.

A Much Broader Skillset

Dylan: Absolutely, especially in OEM, especially in the operations of maintenance because your security set to operate a CSfC infrastructure. The skillset is a much broader skillset and the technologies are much more broadly understood and there are more people who are certified-

Eric: So Carolyn an example might be instead of using Type One encryption, you can use multiple certified VPN capabilities that come commercial off the shelf. You layer them essentially, you've got dual VPN to provide that same level of encryption capability if you will. To almost, I don't want to use the word certify but to ensure that the encryption meets the requirements that NSA dictates for classified information.

Dylan: The process is actually called registration. From a timeline perspective, when a customer decides they have a requirement for a CSfC capability package, there's really a few steps.

Dylan: The first step is to actually either engage a CSfC NSA trust integrator which is a community of integrators who are qualified to design implement and operate CSfC infrastructure. Or there are government customers who are themselves press integrators. So it's either to engage the service with a government or commercial trust integrator.

Dylan: Then that trust integrator will take the requirements from the government and apply the capability packages and the system design to that requirement to develop a bill of materials and reference architecture for that customer.

Carolyn: So this sounds like a no brainer. Does everybody just already do this?

Dylan: It's a great question, so what's happening right now in our world and the prevalence of work from home has really brought CSfC into the forefront. In the past, CSfC has been seen as an enabler for a very specific mission-focused activities.

Looking at the Power of CSfC at an Enterprise Level

Dylan: And what's happening today is that everyone is looking at CSfC at the enterprise level.

Dylan: That does create an additional level of complexity when you move from several dozen or a couple of hundred users into the several thousands or tens of thousands of users. There is definitely a consideration in the network design and operations of that platform.

Eric: Well, we can't put a Type One encryptor in everybody's house, correct?

Dylan: Correct.

Eric: So Carolyn an example, one of the solutions I was aware of, the cost per user with the Type One encryptor and all the other equipment and everything else was about $150 000 or so per user. Using commercial solutions for classified brought that down into the $10 000 per user range. It's a significant cost savings when you do it, or can be.

Carolyn: I mean, what's the drawback of not doing CSfC? Are their barriers? There must be barriers to entry, right?

Dylan: What we're doing right now in this podcast is trying to reduce those barriers to entry. It's it is in large part, a lack of information about the CSfC program. I find there's a lot of education we have to do when we talk to customers about the capabilities of the program.

Dylan: Getting it out there and marketing it as a capability for our government customers is an important thing to do in the sense that I think the main barrier to entry is probably ignorance.

Eric: That's a good point. I think commercial solutions for classified has been around, we're probably coming up on, Dylan, what, a decade?

Dylan: Yes, if not more.

The Genesis of the CSfC Program

Eric: I mean, it's been around a long time. One of the initial designs, as I understood it back in the day was to get away from certifying specific products but certifying solutions or capability areas.

Eric: So that a customer could say, "Hey, I need to set up a wireless network in the office. Well, what does that look like, is that okay? What technologies do I need?" As opposed to having them each go out and individually put things together.

Dylan: I think that's what is really interesting about the genesis of the CSfC program is that it came from very operational use cases. You had people deploying into extremely dangerous environments and extremely sensitive environments that they didn't want to bring Type One encryption.

Dylan: Because there's a very real chance that the assets that they're carrying would be intercepted or controlled by adversaries. If it's in an airport checkpoint or a tactical field location, the desire was to have truly drop it and forget it type technology in case they had to bug out.

Eric: Other than awareness, what are the other downsides you've seen?

Dylan: The implementations are complex. There's no question.

Carolyn: It's harder than just a Type One encryption implementation?

Dylan: It's different. Type One encryption has a very specified path and it's a very known infrastructure. It is difficult to implement but the difficulties are more known by more people than the CSfC implementation. The CSfC implementation is a problem of scale, not skill. So there are just more things to do in CSfC, they're much easier to do individually.

The Benefits of CSfC in Action

Dylan: There's just more of them, then when you talk to someone that's not familiar, that complexity can be off-putting but it shouldn't be.

Eric: Give us a story, Dylan, where you've seen in your experience, the benefits of CSfC in action. You don't have to name any vendors or anything but this is where it's really been a benefit to the US government and the people.

Carolyn: Before you give us the story is CSfC something that's broad across cybersecurity technology? Does it have a niche?

Dylan: Yes, it's for all national systems, for data in transit our data in flight. And Eric, the benefits of CSfC for our customers, I won't name the customer or the vendors, but the capability to access your network while you're not in an office is totally transformative for a number of our constituents. You can imagine who they are.

Dylan: The other application of CSfC is the application of cross-domain access solutions within a CSfC environment. You create the ability for users to be able to work from home in certain scenarios, just as if they were in the office.  That's actually a specific customer benefit we're seeing right now with one of our customers.

Eric: That's timely with COVID-19 and work from home and remote access so as the workforce becomes more distributed. We're not going to order enough Type One encryptors and get them deployed. That makes sense.

Dylan: That's right. Honestly, we probably don't want to. Type One will always have a place. There's no question that there are certain information, certain networks that will always have a requirement for Type One encryption.

The Power of CSfC Makes It a Very Attractive Choice

Dylan: But the broad applicability and the relaxed controls and the relaxed risk to the government, implementing CSfC makes it a very attractive choice for enterprise level deployments.

Eric: If you could fix one thing, you're king for the day, I love this question. What would you change in CSfC? How would you make it better, easier, faster?

Dylan: There are certain requirements around specifying very specific implementations of a product for CSfC. Picking a server vendor, picking a hypervisor vendor, picking a service provider.

Dylan: The ability to certify against components that is less constrained would really increase the flexibility solutions with very little increased risk. Not one thing.

Eric: When you say that, what I'm thinking is it's almost like FedRAMP or common criteria where there's a select list of components and capabilities that you can pick and if it's not on that list and you want something, you can't use it.

Dylan: That's correct. And it's funny you should say common criteria because that's exactly what governs the CSfC program. The choices are really arbitrary. So when you're getting a product certified with common criteria, the vendor selects how they implement.

Dylan: Some vendors are very specific in their choice of implementation to benefit their products, which I can understand the motivation. But the stated desire of the CSfC program office is to make these solutions flexible and cost-effective and easier for customers to adopt.

Dylan: And forcing a customer to adopt the technology baseline that they're not familiar with simply to maintain an accreditation that is almost entirely arbitrary to me runs counter to the goals of the CSfC program office.

The Goal of the Community

Eric: So five years from now, Carolyn and I get you back on the podcast. What has CSfC brought to the government customer? Where are we? Widely deployed? Where do we go?

Dylan: It's a great question. I think five years from now, Carolyn, Eric and Dylan will be having this podcast over a CSfC secured solution. Because the goal of the community should be to bring this level of production to every user, everywhere. But for the government, it means the flexibility to do their mission from anywhere that they have to be in any scenario.

Dylan: I remember after Snowmageddon back in DC here in 2011, I think the government shut down for all three or four days and it was just a catastrophe. Those types of incidents should not bring our government to its knees.

Dylan: Especially for the support and administrative personnel that really they're not deployed and they're not a tactical scenario. It's a question of access to a physical office space that doesn't bring a lot of benefit except for primary fiscal security.

Eric: Yes, it's interesting, you read through the capability packages and I don't have them memorized, I actually pulled them up earlier today. You've got mobile access, you've got campus WLAN, you've got multi-site connectivity, data at rest. All things for distributed workforce. I love that vision, we should all have NSA level certified encryption from site to site, through deployment.

Carolyn: A light bulb just went off for me when you said that Dylan. I was like, "Yeah, everybody should be doing this, not just the government."

An End-To-End Solution Secured by the Power of CSfC

Dylan: It's especially important in our community of interest, the vendor community of interest. This should be something that we are all striving towards, something that as a supporting this mission. The government employees are not the only people who have access to sensitive information and they're not the only people that need to take that seriously.

Dylan: There's a number of NIST requirements around securing contractor controlled data the same way that the government's supposed to. But what we should strive for as a community of interest is that we should all adopt this level of security for our own infrastructure because we are also targets.

Dylan: And it makes the case for enterprise application of CSfC easier for the government to adopt if industry has decided that it's a valid way of accessing and controlling information.

Carolyn: So let me ask you this. I don't know if this would apply, but you know, all the Zoom craziness going on where people are busting in. Would that help eliminate that if we were using these kinds of technologies?

Dylan: Absolutely. When you put together an end-to-end solution secured by CSfC, there is no Zoom crashing, it doesn't happen. Because the connection the application uses to bring the users together is not available to people who do not have an accredited system.

Dylan: It's important to realize this is an end-to-end system. It is from the customer's data center to the customers' endpoint. If you don't have the whole solution in place, you can't access the information and that's why it addresses your Zoom use case.

Eric: Right, you're not talking if you don't have the whole solution put together?

Dylan: That's right.

The Goal of the Organizations Involved in CSfC

Eric: To me, that's the beauty of it. It's got to get simpler, it's got to get faster, it's got to get cheaper. But everybody wants secure encrypted communications or they should. I mean, no brainer.

Carolyn: You guys have just said, it is cheaper, it is faster.

Dylan: The goal of the organizations involved in CSfC should be to make CSfC a business decision, not an operational or accreditation decision. The government should be able to say, "You know what, for this use case and this user I need CSfC." And that should be that easy, the way it is to do FIP certificates, FIP certified.

Eric: Do most of your customers appreciate common solutions for classified? I know it's complex, I know it takes time and effort. But do they appreciate what it's driving to and the fact that it helps secure their operations?

Dylan: 100%. I think that if they didn't embrace CSfC already, you wouldn't see any implementation. Because think about it, the CSfC community today as I said, has been limited to smaller pieces of the pie, but they're still doing it. The users that use CSfC today are users that literally we spent any amount of money we have to.

Dylan: To protect and ensure their mission, because how do you put a dollar value on human life or national security? So if there's a question of money, then we would never have CSfC implementation. It's also a question of security and flexibility. So 100%, the users have already embraced CSfC.

A Tiered Security Approach

Dylan: What's happened with COVID-19 and shutdown is that the government agencies have realized, "Well, holy crap, I have an entire superset of users that also need this type of security to work from anywhere." Because there's plenty of scenarios where they can't come into the office.

Carolyn: Well, and like we just said, I mean, it's not just government, look at our educators. They can't use Zoom right now. So if they had this in place, then they could.

Eric: Actually, they can use Zoom if they're on Zoom Gov and there are other components that are authorized.

Dylan: I think that the big message here is that if everyone could afford CSfC, everyone would have it, or should have it.

Eric: Yes, good point.

Dylan: What we're looking at here is the fact that we have a tiered security approach to who has what based on risk because it costs more money and that's literally the controlling factor. If it was easy to use and cheap, everyone would have it everywhere, and that would make the world a more secure place.

Eric: Which is interesting, we had Katie Arrington from CMMC on a couple of months ago and she talked about $600 billion a year on intellectual property walking right out of this country.

Dylan: 600 billion?

Eric: 600 billion, that's what they've measured. I was on a call with general Alexander, ex-commander, director of NSA. He's now at Iron Net Security, and he referenced over 500 billion. I had the same reaction Dylan. I was like, "That's a lot of money."

A Resurgence of Interest in the Power of CSfC

Eric: I mean, that's almost, what is that? Three-quarters of the defense budget? Walking out the door every year from this country. Let's look at spending a little money maybe in securing our communications and our infrastructure. We can currently take from that pot of loss.

Dylan: I think what you're going to see Eric, with this resurgence of interest in CSfC is the implementation of products that are designed to be secure in fact as well as secure certifications. Things like managed attribution, zero trust data access controls. Those types of technologies absolutely have a place in the CSfC market, even though they're not part of the CSfC accreditation boundary.

Dylan: You're going to see more vendors thinking more holistically about, "Hey, my risk profile is went from 10 or 20 people in-country to 10 or 20 000 people around the world. How can I make this implementation better for my government customer?" That's something we're definitely seeing happen right now.

What the Government Was Striving For

Carolyn: Dylan, thank you so much for being on the podcast. Eric, do you have any last parting questions?

Eric: No, I think I'm good. I mean, this is something I've been working with for a decade now and it's interesting.

Carolyn: I'm fairly new to it, but good job explaining it. It was eye-opening for me.

Eric: It's interesting watching it evolve also, initially it wasn't going to be about any kind of products whatsoever. It was initially designed as a partial replacement for common criteria and the cost of certification, making things easier. It's really evolved and come a long way and Dylan, fascinating hearing the updates and your opinion. I think this is exactly what the government was striving for.

Dylan: Excellent. Well guys, thanks for having me. It was really exciting opportunity to talk about this and we are seeing a huge uptick in what our customers are doing.

About Our Guest

As CTO, Dylan is accountable for making our Accelerating Simplicity mission a reality for customers and partners. That involves sustaining a diverse partner portfolio that aligns with current and emerging customer requirements, developing our presales architecture team, and advancing our technical capabilities.

Prior to joining our team, Dylan spent 18 years in IT sales, engineering and leadership, working as chief architect on a range of major Federal Government IT programs. A lifelong Texas Longhorns fan, Dylan takes a keen interest in the intersection of technology, government, and the social impact of the digital transformation. He and his family live in Arlington, Virginia.

CSfC Resources

• Webinar: How Agencies Can Simplify Multi-Domain Operations with CSfC Mobility Solutions https://defensesystems.com/webcasts/2020/04/id-technologies-forcepoint-042320.aspx?&pc=G0FORPWC&utm_source=webmktg&utm_medium=E-Mail&utm_campaign=G0FORPWC
• Webinar: Commercial Solutions for Classified (CSfC): What Does an Approved Solution Look Like? https://www.forcepoint.com/resources/webcasts/commercial-solutions-classified-csfc-what-does-approved-solution-look
• Forcepoint CSfC solution: https://www.forcepoint.com/product/cross-domain-security/forcepoint-trusted-thin-client