Our products > Other productsSecureIO for CSfC

SecureIO for CSfC

SecureIO Suite and SecureIO RapidDeployer accelerate fielding of CSfC Android devices and applications

The National Security Agency’s (NSA) Commercial Solutions for Classified (CSfC) program establishes requirements for government agencies to safely use wireless networks and commodity hardware to handle classified communications. By using NIAP (National Information Assurance Partnership)-approved commercial products in layered solutions, registered CSfC solutions can protect classified data at substantially lower cost, with greater functionality and more immediate availability than traditional approaches. 

CSfC requirements for commercial end-user devices (EUDs)—laptops, tablets and smartphones—to connect to secure networks are stringent, involving complex, precise provisioning and extensive per-application certification requirements. Our SecureIO product suite offers software solutions and tools to accelerate fielding of Android EUDs and mission-critical applications.
Anchor Element
Copy for linking on the same page:
https://www.perspectalabs.com/?data-scroll-to-anchor=HowItWorks
Copy for linking from an external page:
https://www.perspectalabs.com/?data-anchor-link=HowItWorks

How it works

SecureIO TLS Solution

CSfC Mobile Access Capability Package (MACP) requirements stipulate that each application implementing Transport Layer Security (TLS) must be individually tested and approved by NIAP. Since Android EUDs typically use TLS-encrypted app traffic inside an IPSec tunnel, each Android CSfC app that uses TLS would be subject to NIAP testing and NSA review. NIAP certification can be a long and expensive process, representing a high barrier to entry for new Android CSfC apps, especially government off-the-shelf apps.  

Our flagship product is the SecureIO TLS Solution, which dramatically reduces the time required to approve, test and field CSfC-compliant Android devices. It provides a NIAP-approved common, shared TLS encryption function that can be used by every app running on the EUD. This SecureIO solution eliminates the need for the installed apps to implement their own transport security, enabling a wide variety of new apps to be quickly deployed on MACP-compliant Android EUDs.  

The SecureIO TLS Solution consists of SecureIO application software, which is installed on the Android EUD to provide an API, and the SecureIO VPN gateway, which provides a Linux-based VPN gateway / server component.  

SecureIO Rapid Provisioner

Monitoring application displays real-time status for access and VPN on an end user device in a CSfC campus WLAN deploymentSecureIO Rapid Provisioner for Windows: Monitoring application with real-time status for CSfC campus WLAN

​MACP requirements for EUDs include separation of IP stack space for outer and inner Internet Protocol Security (IPSec) tunnels, diversity of IPSec clients and separation of security credentials for the two tunnels. Manual separation of IP stacks, installation and configuration of IPSec clients and further configuration of in-host routing to achieve the desired networking and security posture is a time-consuming procedure fraught with possibilities of user and administrator error at each step. For an enterprise-wide deployment, this leads to excessive delays in formulating plans for installation, testing and eventual release of EUDs to end users.

The SecureIO Rapid Provisioner is an industry-leading solution, available for both Windows and Android devices, which provides an automated process so that all necessary CSfC deployment and configuration steps can be performed accurately with a few button clicks. Rapid Deployer has been shown to reduce configuration time from more than 4 hours per device to 15 minutes, saving agencies resources and valuable time. It delivers speed, security compliance and scalability, while eliminating manual steps, improving accuracy of device provisioning and reducing the training required for the personnel performing the provisioning.

​For Windows laptops and tablets, Rapid Provisioner runs like a familiar wizard-based Windows application installer. Rapid Provisioner ​for Windows first deploys and configures an inner IPsec client and type-2 hypervisor on the host. It then creates a virtual machine (VM), which hosts the outer IPSec client, and sets up internal host-only interfaces and appropriate routing rules. It additionally deploys and configures monitoring applications for the Windows system tray and an application to monitor the system even before the user logs on or when the user logs off or when the desktop is locked. This aspect is critical for setups where pre-connect features are necessary, for example, for Active Directory based login checks.​

​For Android smartphones and tablets, Rapid Provisioner provides an easy to use web interface through which an administrator creates categories of device types; each category supports users with similar device needs (e.g., different user groups require different apps). An administrator can use the Rapid Provisioner GUI to assign a new device to a specific user within a group. When the device is powered on, provisioning staff initiate the provisioning process by quickly tapping it with an NFC-capable provisioning device, after which the new device autonomously downloads, authenticates, decrypts and installs a package customized with the new user’s credentials and containing the configuration and software required for users in that user category.
Picture
SecureIO Rapid Provisioner for Android: System architecture

​Other SecureIO products

In addition to our SecureIO TLS Solution and the SecureIO Rapid Provisioner, we offer the following software products and applications:
  • SecureIO VPN Chaining Manager: an optional component that runs on Android devices and works with the SecureIO TLS Solution to establish and enforce VPN chaining
  • SecureIO Over-the-air (OTA) Certificate Manager (CM) for Android and SecureIO Over-the-air Certificate Manager for Windows: provides OTA monitoring for certificate expiration and automated capability to request and install an updated certificate. The SecureIO OTA CM consists of our OTA CM Management Server, which is software running in the CSfC network infrastructure, plus EUD software, which is available in a version for Android EUDs and a version for Windows EUDs
  • SecureIO CSfC Status Monitor for Android and SecureIO Status Monitor for Windows: is a standalone application that monitors network connectivity on the EUD and displays status to the user
Anchor Element
Copy for linking on the same page:
https://www.perspectalabs.com/?data-scroll-to-anchor=features
Copy for linking from an external page:
https://www.perspectalabs.com/?data-anchor-link=features

Features

  • Support for ATAK: off-the-shelf ATAK is supported on classified EUDs using the SecureIO TLS Solution without requiring any modifications to ATAK or the CSfC-compliant configuration
  • Support for multicast: the SecureIO TLS Solution supports multicast traffic to / from Android devices in classified or unclassified use cases. Specifically, multicast is supported in a dual-tunnel configuration for classified use or in a single-tunnel configuration for encrypting SBU / CUI communications
  • Network-aware capability in SecureIO TLS Solution: SecureIO's optional network-aware capability is particularly suited for tactical networks where individual EUDs need to roam between disconnected network enclaves. This functionality enables the SecureIO app on an Android EUD to detect network change and create a new secure tunnel to whichever SecureIO gateway is reachable on the local network segment
Anchor Element
Copy for linking on the same page:
https://www.perspectalabs.com/?data-scroll-to-anchor=Advantages
Copy for linking from an external page:
https://www.perspectalabs.com/?data-anchor-link=Advantages

Advantages

Our SecureIO products dramatically reduce the time, complexity and risk of errors for configuring and fielding CSfC-compliant Android and Windows devices, supporting arbitrary apps on these devices, and monitoring and managing certificates and status.
  • SecureIO TLS Solution: decreases the time required to approve, test and field CSfC-compliant Android devices by providing an NIAP-approved common, shared TLS encryption function for use by every app on the EUD
  • SecureIO Rapid Provisioner: automated deployment solution which rapidly accelerates the CSfC installation and configuration process, reducing configuration time from multiple hours per device to 15 minutes
Anchor Element
Copy for linking on the same page:
https://www.perspectalabs.com?data-scroll-to-anchor=resources
Copy for linking from an external page:
https://www.perspectalabs.com?data-anchor-link=resources

Resources

Research, services and products of interest

Research

  • Mobility research: advances in dynamic, secure mobile networking for congested and contested environments

Services

  • CSfC trusted integrator: NSA-designated, proven CSfC trusted integrator with innovative tools for mobile access and campus WLAN deployments

Products

Anchor Element
Copy for linking on the same page:
https://www.perspectalabs.com?data-scroll-to-anchor=requestinfo
Copy for linking from an external page:
https://www.perspectalabs.com?data-anchor-link=requestinfo