R 281910Z JUL 20
MSGID/GENADMIN/CMC DCI IC4 WASHINGTON DC //
SUBJ/POLICY GUIDANCE FOR THE PROCUREMENT OF COMMERCIAL SOLUTIONS FOR CLASSIFIED (CSfC) SYSTEMS//
REF/B/CMC C4 CY/ECSM 012/1 MAY 2015//
REF/C/CMC C4 CY/ECSM 018/8 APR 2019//
REF/D/NIST 800-37/MAY 2004//
REF/E/DODI 8510.01/MAR 2014//
NARR/REF A IS MARADMIN 067/19, TABLET PROCUREMENT, CONFIGURATION, SUSTAINMENT, AND ACCOUNTABILITY GUIDANCE. REF B IS THE CYBERSECURITY ARCHITECTURE MANUAL. REF C IS THE MARINE CORPS ASSESSMENT AND AUTHORIZATION PROCESS (MCAAP) MANUAL. REF D IS THE DOD INSTRUCTION ON THE RISK MANAGEMENT FRAMEWORK. REF E IS THE GUIDE FOR THE SECURITY CERTIFICATION AND ACCREDITATION OF FEDERAL INFORMATION SYSTEMS.//
POC/DR. R. A. LETTEER/CIV/HQMC DC/I C4 CY BRANCH/TEL: 703-693-3490/RAY.LETTEER@USMC.MIL//
POC/M. ROGERS/CIV/HQMC DC/I C4 CY BRANCH STRDS
POC/A. ROSENBLATT/MAJ/HQMC DC/I C4 ICN BRANCH/TEL:571-256-8828/AARON.ROSENBLATT@USMC.MIL//
GENTEXT/REMARKS/1. Commercial Solutions for Classified (CSfC) is a series of capability packages designed by the National Security Agency (NSA) to provide the capability to access classified information without cryptographically controlled Type 1 encryption devices. The current COVID-19 crisis has hastened the requirement for the FMF to access classified information while outside of secure spaces. CSfC is a critical enabler of this capability. Additionally, as outlined in ref (a), today's consumer electronics market is interconnected globally with manufactured components, hardware, integrated chips, and/or source code that can compromise military integrity. Units must strive to mitigate vulnerabilities posed by the proliferation of rogue devices by limiting future procurement of tablets and systems to only those provided by a CSfC, Defense Information Systems Agency (DISA), or National Information Assurance Partnership (NIAP) approved trusted integrator. Furthermore, the U.S. Marine Corps follows refs (b), (c), (d), and (e) for the required security design and risk management authorization and approval of Federal Information systems.
2. Purpose and Intent. This MARADMIN establishes policy guidance to the FMF and supporting establishment in the adoption of CSfC capabilities for the enterprise. Further, this MARADMIN establishes policy guidance to the FMF and supporting establishment when submitting accreditation packages (i.e., CSfC capability or registration) to DC I, IC4.
3. Situation. While CSfC has been a capability for several years, the COVID-19 crisis has elevated its usage to become a capability requirement for the Marine Corps. Marine Corps Systems Command (MCSC) has established an enterprise CSfC Working Group to develop the solution set to satisfy unique Marine Corps CSfC requirements. Marine Forces Central Command has been granted approval to act as the pathfinding organization to help shape Marine Corps requirements for garrison CSfC usage. Also, DISA CSfC offerings through the DISA storefront provide FMF units and the supporting establishment the ability to access SIPR websites and Marine Corps email through Outlook Web Access (OWA). Previously, FMF units desiring to use CSfC tactically have experienced delays or a denial of authority to operate (DATO) decision because of incomplete package submissions. To meet today’s mission objectives, the Marine Corps warfighter has an increasing need for the most modern commercial hardware and software technologies. The NSA CSfC Program offers that technology and the Marine Corps has adapted.
4.a. FMF and supporting establishment units who require a garrison CSfC capability must use DISA provided capabilities until the Marine Corps has developed a capability that meets all Marine Corps unique requirements. FMF and supporting establishment units who require an enterprise solution not offered by DISA must seek concurrence from the CSfC Working Group to ensure the solution meets unique requirements, and will be interoperable with a future enterprise solution.
4.b. For tactical usage, the MAGTF Common Handheld (MCH) is an NSA approved CSfC solution, already determined to meet Marine Corps requirements. Any unit that chooses to deviate from the MCH must similarly request concurrence through the CSfC Working Group.
4.c. After achieving concurrence from the CSfC Working Group, units must submit CSfC requests IAW refs (b), (c), (d) and (e). All new CSfC requests, except for those purchased through the DISA storefront, must receive both risk approval from the NSA and an Authorization To Operate (ATO) through DC I IC4. The following documents (i.e., Registration Form and Checklists are available at https:(slash)(slash)www.nsa.gov/resources/everyone/csfc/solution-registration.shtml) are required to initiate the CSfC approval process:
4.c.1. Registration Form;
4.c.2. Compliance Checklist;
4.c.3. Key Management Checklist (Data At Rest excluded);
4.c.4. Network Diagram/Solution Architecture;
4.c.5. Deviation Request Form (Please duplicate for each requirement you are not able to meet); and,
4.c.6. Concept of Operation document.
5. Once received, the CSfC request will be processed IAW NSA direction and refs (c), (d), & (e).
6. Release authorized by BGen Lorna M. Mahlock, Director, Information, Command, Control, Communications, and Computers (C4) Division.//