Blog

Can Top-Secret Data Be Transported Unclassified?

December 01, 2021 | BY: Paul Davis

Commercial Solutions for Classified (CSfC) is essential for the National Security Agency (NSA) strategy to deliver secure cybersecurity solutions. The CSfC program leverages commercial encryption technologies and products to provide much-needed cybersecurity solutions quickly. Commercial encryption technologies are employed in many technologies today, such as automobiles, mobile phones, tablets, and home security systems.

The CSfC program was established to protect classified National Security Systems (NSS) data with commercial products in layered solutions. Solutions handling Top Secret/Sensitive Compartmentalized Information (TS/SCI) have been approved by the NSA.  CSfC provides security and efficiency: security through the ability to securely communicate based on commercial standards and efficiency through an NSA-managed program that offers a solution that can be fielded in months, not years.

Regarding the question posed in the blog title, the short answer is yes. When top-secret data is transported on removable media, it is sufficiently encrypted as to be considered unclassified.  There is much more to the story, so please read on for the details.

For more details regarding the CSfC program, reference the Curtiss-Wright whitepaper Data-At-Rest Encryption Series: Commercial Solutions for Classified (CSfC)

CSfC Solution Example

The Curtiss-Wright Data Transport System (DTS1) product shown in Figure 1 is an example of a modern CSfC solution proposed.  The DTS1 is a rugged network attached storage (NAS) system currently deployed by numerous USG entities. It provides two certified layers of commercial encryption to protect data-at-rest (DAR).  The outer encryption layer is hardware full disk encryption (HWFDE), and the inner layer is software full disk encryption (SWFDE).

Curtiss-Wright DTS1 and RMC

Figure 1 - Curtiss-Wright DTS1 and Transportable RMC

After the two layers of AES256-bit encryption encrypt the data, the data is stored on a solid-state drive housed inside a specially designed removable memory cartridge (RMC).  The RMC comes in various capacities, up to 8 terabytes (TB).  The RMC can even be removed while the DTS1 still has power applied.  This capability, known as hot-swapping, is important so that the deployed vehicle does not have to be powered down.  Before removing the RMC, the operator opens the latched door and then presses a button on the front of the RMC.  This button initiates a shutdown procedure stopping data flow to that RMC so that data does not become corrupted.  When the LED indicators on the RMC light up in a proper sequence, the RMC is ready to be removed for transport.  A new, fresh RMC may be inserted at that time.

Is the RMC Considered Unclassified During Transport?

This question is one of the most frequently asked.  Classified data must be safely transported to and from the deployed vehicle. The CSfC DAR Capability Package (CP) states:

In a powered-off state, the device is completely off and not in any power-saving state. The EUD is considered unclassified but must still be handled in accordance with the implementing organizations’ AO policies. This applies to all removable media when unplugged from the host system. If the RMs have their own power states, the product documentation must be consulted to determine how to independently switch the product into a powered-off state.

In the example system, both the DTS1 and the RMC are considered End User Devices (EUD).  Regarding the RMC, the keywording is that this unclassified state applies to all removable media when unplugged from the host system.  In the DTS1 system, the RMC is the removable media, and the RMC is unpowered when removed from the DTS1.  It does not have a separate, independent power source. 

Note that even during transport, the RMC must be handled in accordance with policies set by the Authorizing Official (AO) or Designated Approving Authority (DAA).  The AO sets the appropriate policies in place for each unique application or program.  The policies set may depend on whether the deployed vehicle is attended or unattended. It may also depend on the data classification level, and other factors deemed important by the AO.

Table 1 - RMC Classification During Transport

RMC location DTS1 Power Status DTS1 Outer Layer Status DTS1 Inner Layer Status RMC Classification

Removed from DTS1

N/A

N/A

N/A

Unclassified

 

Is the RMC Unclassified When Inserted into the DTS1?

The short answer is that it depends on certain conditions.  To help explain this, four scenarios are explored below.  In each scenario, the RMC is inserted into the DTS1. 

Scenario 1 – DTS1 powered off

If the DTS1 is powered off entirely and not in a power-saving state, then the DTS1 is considered unclassified.  The RMC is deemed to be unclassified as well as the DTS1 in Scenario 1.  The RMC receives its power solely from the DTS1 and has no separate power source. 

Scenario 2 – DTS1 power on, neither encryption layer authenticated

If the DTS1 is powered on and in an unauthenticated state, then the DTS1 is considered unclassified.  This state cannot be entered by logging off after the initial login.  The RMC is deemed to be unclassified as well as the DTS1 in Scenario 2. 

Scenario 3 - DTS1 power on, outer encryption layer only authenticated

If the DTS1 is powered on with the outer layer authenticated, the DTS1 is operational where the user has authenticated to the outer layer of hardware full disk encryption (HWFDE).  The DTS1 is in a state considered classified and should be handled accordingly.  The RMC is considered classified as well as the DTS1 in Scenario 3.     

Scenario 4 - DTS1 power on, both encryption layers authenticated

If the DTS1 is powered on with both the outer (HWFDE) and inner (SWFDE) layers authenticated, the DTS1 is operational when the user has authenticated to two layers of DAR encryption.  The DTS1 is in a state considered classified and should be handled accordingly.  The RMC is considered classified as well. 

Table 2 - RMC Classification When Inserted in the DTS1

RMC location DTS1 Power DTS1 Outer Layer Authentication DTS1 Inner Layer Authentication RMC Classification

Inside DTS1

Off

No

No

Unclassified

Inside DTS1

On

No

No

Unclassified

Inside DTS1

On

Yes

No

Classified

Inside DTS1

On

Yes

Yes

Classified

 

Summary

For the example DTS1 system, the RMC is considered unclassified when removed and being transported.  It is unpowered while being transported.  This fact is important for deployed vehicles where classified data must be transported to and from the vehicle, as in Figure 2.

Transport of Unclassified RMC

Figure 2 - Transport of Unclassified RMC

Also, it is important to note that the RMC has no encryption mechanisms and has no power source other than the DTS1.  The two commercial encryption layers reside in the DTS1 only.  Two separate layers of AES256-bit encryption have encrypted the data residing on the RMC. 

If an unauthorized party or adversary obtains the RMC in an unpowered state, it is considered unclassified per the NSA definition.  The unpowered state may be in one of two conditions: (1) while the RMC is being transported by itself or (2) while the RMC is inside the DTS1, but the system is unpowered. 

When the RMC is inserted into the DTS1, the classification of the RMC depends on the power status of the DTS1 (and in turn RMC) plus the authentication status for the outer and inner layers.  Table 3 shows the various power and authentication states and the RMC classification status in each.

Table 3 – Summary of RMC Classification Status in the Various States

 

RMC location DTS1 Power DTS1 Outer Layer Authentication DTS1 Inner Layer Authentication RMC Classification

Removed from DTS1

N/A

N/A

N/A

Unclassified

Inside DTS1

Off

No

No

Unclassified

Inside DTS1

On

No

No

Unclassified

Inside DTS1

On

Yes

No

Classified

Inside DTS1

On

Yes

Yes

Classified

 

Author’s Biography

Paul Davis

Director, Product Management - Data Solutions

Paul Davis began his career for Curtiss-Wright as a Research Manager for the Dayton, OH facility in 1997. Paul has held positions including: Director of Engineering managing a staff of 40+ engineers, managers, technicians, and co-op students; Product Manager for the switches, recorders, and various board level products; and then Director of Product Management. Now retired, Paul worked in engineering and engineering management positions for 19 years.

Share This Article

  • Share on Linkedin
  • Share on Twitter
  • Share on Facebook
  • Share on Google+
Want to add a comment? Please login
Loading...
Connect With Curtiss-Wright Connect With Curtiss-Wright Connect With Curtiss-Wright
Sales

CONTACT SALES

Contact our sales team today to learn more about our products and services.

YOUR LOCATION

PRODUCT INFORMATION

Support

GET SUPPORT

Our support team can help answer your questions - contact us today.

REQUEST TYPE

SELECT BY

SELECT Topic