How to Protect Data-in-Motion

Data-in-motion, also called data-in-transit, refers to digital information when transferring between network system nodes. Once the data is stored on a hard drive or network attached storage (NAS), it is considered data-at-rest.

Equipping your military system with capable technology and protecting sensitive data from external threats is a top priority for system integrators and operators. Data can be exposed to risks both while in motion and at rest and requires protection in both states. To this end, encryption is key to maintaining the data’s integrity throughout its intended course. Multiple standards-compliant systems that ensure the security of sensitive and classified data are available in layered encryption of hardware, software, or a mix of both for system integrators to choose from.

Protecting your Data: Encryption Methods

IPsec Encryption

Internet Protocol Security (IPsec) is a suite of secure network protocols that authenticates and encrypts packets between two communication points over a Layer 3 IP wide area network (WAN). Network routers and security systems that support commercial VPN capabilities are traditionally built around IPSec and similar well-known cryptographic standards.

MACsec Encryption

When a Local Area Network (LAN) needs to protect Layer 2 Ethernet traffic, MACSec (802.1AE)  encryption can authenticate and safeguard data. The MACsec standard enhances local area network (LAN) traffic security by identifying unauthorized LAN connections and excluding them from communication within the network. In addition, the protocol authenticates nodes through a secure exchange of randomly generated keys, ensuring data can only be transmitted and received by MACsec-configured nodes.

NSA Type 1 and CSfC Solutions

Traditionally, the U.S. government has used National Security Agency (NSA) Type 1 equipment built around classified algorithms to secure network traffic. However, this technology was generally only available to the government and its contractors, and its use comes with many burdensome restrictions and custodial requirements. In recent years, protecting a military platform’s classified data-in-motion as it’s routed over an IP network has become more accessible, more affordable, and faster to deploy, with the NSA’s approval of the use of commercial encryption technologies.

The Commercial Solutions for Classified (CSfC) program is an NSA initiative that allows commercial off-the-shelf (COTS) solutions that have been verified and approved to meet national security standards to be used for layered solutions protecting national security system (NSS) data that is classified up to Top Secret. This approach makes it far less burdensome to secure embedded network communications on-board an aircraft, vessel, ground vehicle, carried to the tactical edge, or even used in a home or field office. That’s because integrators can use a layered commercial solution based on public cryptography and secure protocol standards.

CSfC requires the use of two encryption layers, both of which can be either hardware, software, or a mix of the two. In addition, system integrators can select approved commercial components from the NSA Central Security Service (CSS) components list, which shows system designers what cybersecurity solutions are approved to speed their system development.

Solutions for Protecting Wired Data-in-Motion

As a solution technology integrator (STI) for Cisco Systems, Curtiss-Wright integrates Cisco’s ESS-3300 embedded switch and ESR-6300 embedded router cards into rugged systems for military use cases. These Cisco technologies have undergone rigorous testing and obtained certifications, including FIPS 140-2, Common Criteria, and approval as CSfC components. These Cisco technologies are based on enterprise-grade Cisco IOS-XE software, which provides network security features that ensure highly secure voice, video, and data communication. In addition, IOS-XE has been validated on many other Cisco products for both Common Criteria and CSfC.

Switching solutions featuring CSfC-approved Cisco ESS-3300

26-port rugged Cisco switch with PoE

Parvus DuraNET 3300 10G/1G Rugged Ethernet Switch

For Layer 2 (LAN) Ethernet switch traffic data-in-motion security using MACSec, Curtiss-Wright’s Parvus® DuraNET® 3300 and PacStar PS444 and PS446 rugged Ethernet switches package Cisco’s ESS-3300 technology in small form factor (SFF) chassis that combines mechanical ruggedness with Cisco’s high-performance IP networking capabilities. Both the Parvus and PacStar solutions use the same Cisco technology; they are packaged in different ways with different connector types, different levels of ruggedness, etc. With Cisco Network Essentials or Network Advantage IOS-XE software licenses options, the units can support managed Layer 2 switching and Layer 3 dynamic routing with a comprehensive set of secure network services.

PacStar 444

PacStar PS444


Routing Solution featuring CSfC-Approved Cisco ESR-6300

6-port rugged Ethernet router

Parvus DuraMAR 6300 Rugged Ethernet Router

To secure data-in-motion for Layer 3 Wide Area Network (WAN) data, Curtiss-Wright’s Parvus DuraMAR® 6300 and PacStar PS447 integrate Cisco’s ESR-6300 router card and IOS-XE software into rugged systems suited for size, weight, and power (SWaP)-constrained military and civil vehicle/aircraft installations. Packaged in different ways with different connector types and levels of ruggedness, these SFF secure network routers are ideal for red-black architectures, leveraging Commercial National Security Algorithm (CNSA) suite cryptography for IPsec (aka NSA Suite B).

PacStar 447

PacStar PS447


Solutions for Protecting Wireless Data-in-Motion

The NSA now allows classified information to be transmitted on wireless connections, even over public and partner networks, using two sets of encryption technologies (such as Cisco and Aruba VPNs), one layered inside the other. The NSA has also approved combinations of solutions that include a layer of VPN combined with encryption provided by Wi-Fi, TLS, or MACsec, following specific guidelines.

Curtiss-Wright offers turnkey solutions based on its PacStar® 400-Series modules that can be used in a CSfC solution. These solutions are available directly from Curtiss-Wright and through other large DoD-focused systems integrators/prime contractors.

Curtiss-Wright collaborates closely with industry-leading, enterprise-class makers of networking, encryption, and cybersecurity technologies – integrating, testing, and certifying their technologies into PacStar modular systems. We provide the solutions in a pre-integrated and configured state and customize the solutions to meet program requirements.

PacStar CSfC Solutions are managed by PacStar IQ-Core® Software Crypto Manager (CM) to simplify maintenance, unify management, reduce complexity, decrease downtime, and shorten training for system administrators. PacStar IQ-Core CM significantly reduces equipment costs over Type 1 encryption hardware and enables U.S. coalition partner interoperability without using controlled cryptographic items (CCI).

Explore more of our trusted, secure solutions below.



Parvus DuraNET 3300 + CHAMP-XD1S

TrustedCOTS™ Processing Modules

Data-at-Rest Encryption & Secure Storage Solutions

All Trusted Computing Solutions


What's New? Commercial Solutions for Classified Data-at-Rest Capability Package 5.0 Review U.S. Government customers require the market’s most modern commercial security... MORE> What is NSA Type 1 Encryption? An NSA Type 1 encryption product is a device or system certified by the National... MORE> What is Commercial Solutions for Classified (CSfC)? Commercial Solutions for Classified (CSfC) is an integral part of the National... MORE> Exploiting Big Data for Defense The “big data problem” – too much raw data coming too fast over too many... MORE> Curtiss-Wright Introduces Fastest, Highest Capacity 6U OpenVPX™ Storage Blade with 32/64 TB of 6.25 GBps NVMe Memory New VPX6-SBM Storage Blade Module more than doubles data rate and amount of NVMe... MORE> Curtiss-Wright Introduces High Speed 10 Gigabit Ethernet Network Attached Storage with Two-Layer Encryption to Protect Critical Sensor Data on Deployed Platforms New HSR10 network attached storage (NAS) system provides up to 32 TB storage... MORE> Aircraft Developer Looks to Modernize Storage of Sensitive Data A leading C5ISR system integrator reached out to Curtiss-Wright in search of a... MORE> DAR Series Part 4: NSA CSfC vs. Type 1 Encryption This white paper provides an objective, practical, and unbiased comparison between... MORE> DAR Series Part 3: NSA Type 1 Encryption This white paper is the third in the series of four related white papers on... MORE> Planning to Export Data-at-Rest Storage with Encryption? In applications where data flows need to take place in nanoseconds, the delay... MORE> Electronics Cooling Boosts Capabilities to Match Performance Upgrades Enabling technologies for electronics and embedded computing thermal management... MORE>
Connect With Curtiss-Wright Connect With Curtiss-Wright Connect With Curtiss-Wright


Contact our sales team today to learn more about our products and services.





Our support team can help answer your questions - contact us today.