Skip to content
Certified ISO9001:2015+AS9100D Designed & Built in the USA | Used & Supported Worldwide
phone link icon email link icon

CNSSP-11 | Committee on National Security System Policy

Navigating New Acquisition Requirements for National Security Systems

Ampex is committed to providing rugged, reliable data solutions for your most critical missions. Part of that commitment involves staying ahead of evolving cybersecurity requirements. A key policy update impacting the acquisition of technology for sensitive government systems is CNSSP-11 (Committee on National Security Systems Policy 11), which became effective February 28, 2025. This policy sets new standards for purchasing cybersecurity-related products for National Security Systems, emphasizing verifiable trust and security assurance.

Policy Context: The Drive for Higher Assurance

CNSSP 11 reflects a broader government-wide push to strengthen cybersecurity, primarily stemming from these key directives:

    • E.O. 14028: This 2021 Executive Order, “Improving the Nation’s Cybersecurity,” mandated significant modernization efforts across federal agencies, including the adoption of ZTA (Zero Trust Architecture), stronger encryption, and enhanced Software Supply Chain Risk Management (SCRM).

    • NSM-8: This 2022 National Security Memorandum, “Improving the Cybersecurity of National Security… Systems,” specifically applied and often strengthened E.O. 14028 requirements for the NSS (National Security Systems), DoD, and Intelligence Community environments. Notably, it mandated the use of NSA-approved cryptography for NSS.

    • NSD 42: This earlier directive established the CNSS and the NSA National Manager role, providing the foundational authority for CNSS policies like CNSSP 11.

In practice, E.O. 14028 and NSM-8 define the necessary security posture, while CNSSP 11 enforces it at the point of acquisition by requiring proof that purchased products meet specific security evaluation standards.

Scope of CNSSP 11

Understanding who and what this policy applies to is essential:

    1. Systems Covered (NSS): The requirements apply when acquiring products for systems designated as NSS. Under CNSS Instruction 4009, this includes systems performing specific sensitive functions (related to intelligence, cryptology, military command and control, weapons systems, or critical mission fulfillment) or any system handling classified national security information. The responsibility for designating a system as NSS rests with the system owner or integrating agency.

    1. Products Covered: The policy covers the acquisition of COTS (Commercial Off The Shelf) and GOTS (Government Off The Shelf) products that provide cybersecurity functions or are IT products incorporating cybersecurity capabilities relevant to the system’s protection (e.g., encryption, access control, secure data storage).

Understanding the Evaluation Requirements

CNSSP 11 mandates formal, standardized evaluation for these products:

    • COTS Path (NIAP and FIPS):

        • For COTS products, compliance with the National Information Assurance Partnership (NIAP) program is the primary requirement. NIAP oversees evaluations using the international Common Criteria standard.

        • These evaluations are often performed against specific PPs (Protection Profiles). A PP defines detailed, standardized security requirements and testing activities for a particular class of technology (like Network Devices, Full Disk Encryption, or Operating Systems). Products successfully evaluated against a NIAP-approved PP are listed on the NIAP Product Compliant List (PCL), providing standardized assurance.

        • For components performing cryptographic functions (like data encryption), NIST FIPS 140 (Federal Information Processing Standard 140) validation is typically required. FIPS 140 specifically tests and validates the design and implementation of the cryptographic module itself, ensuring the encryption algorithms are implemented correctly and securely. This is often a prerequisite or co-requisite for NIAP evaluation of products involving cryptography and directly supports NSM-8’s mandate for robust encryption.

    • GOTS Path (NSA): GOTS products intended for NSS must be evaluated and certified directly by the NSA or used according to specific NSA guidance.

Practical Implementation: CSfC Data-at-Rest Example

A common scenario for NSS involves protecting classified data stored on COTS hardware. The NSA’s Commercial Solutions for Classified (CSfC) program provides approved architectures for this.

    • The CSfC Data-at-Rest (DAR) Capability Package, for instance, requires using multiple layers of independent encryption solutions.

    • Crucially, each of these COTS encryption solutions must be listed on the NIAP PCL (meaning it has met the evaluation requirements detailed in CNSSP 11, often including FIPS 140 validation for the cryptographic component).

    • Ampex offers rugged systems designed to integrate these types of evaluated components, enabling customers to build data storage solutions compliant with CSfC DAR architectures.

Beyond Acquisition: Supporting Broader NSS Security Goals

While CNSSP 11 focuses on the purchase point, the evaluated products acquired play a role in meeting broader NSS security objectives from NSM-8:

    • Zero Trust Enablement: ZTA relies heavily on protecting data regardless of network location. Using platforms with validated data at rest encryption provides a fundamental building block for the data security pillar of a Zero Trust strategy.

    • Supply Chain Confidence: E.O. 14028 and NSM-8 emphasize SCRM. Utilizing COTS products that have undergone the scrutiny of NIAP/FIPS evaluation, combined with Ampex’s focus on a controlled supply chain, helps address concerns about component integrity and software security.

Ampex: Your Partner in Navigating Compliance

This framework clearly increases the required level of security assurance for technologies deployed on National Security Systems. At Ampex, we recognize that our customers need solutions that are not only rugged and performant but also demonstrably secure and compliant.

Our range of data-at-rest encryption capabilities directly addresses the different levels of assurance mandated under this policy structure:

    • AES-256 / FIPS 197: We provide solutions utilizing this foundational and internationally recognized encryption algorithm, specified in FIPS 197.

    • FIPS 140 Validated: For requirements demanding validated cryptographic modules per CNSSP 11, we offer solutions incorporating FIPS 140 validated encryption.

    • CSfC Ready: Our systems serve as robust platforms ready for integration into CSfC architectures using layered, evaluated COTS components per NSA requirements.

    • NSA Type 1: For the highest assurance needs on NSS, we offer platforms incorporating NSA Type 1 encryption solutions.

Understanding whether your system is designated NSS and the corresponding level of data sensitivity dictates the required evaluation path under CNSSP 11. Ampex has invested in providing these validated security options, and our team is prepared to discuss your specific requirements, helping you select and implement a rugged data solution that ensures both mission success and compliance with these critical cybersecurity mandates.