Secure communications solutions

The Cyber Centre provides advice and guidance on using dual-layered, trusted commercial products to protect classified data up to the SECRET level. This free service is offered to all Government of Canada departments.

The Secure Communications Engineering and Assurance Team provides guidance on:

• cyber security architectures
• validated commercial components
• recognized Trusted Integrators

This medium-security approach offers another option to clients who may have traditionally relied on high-security protection products for SECRET.

Secure communications solutions help to secure both data-in-transit and data-at-rest, including:

• wireless mobile communications
• classified network infrastructures

Services

• Secure Tailored Solutions Program: Medium-security protection, dual-layered commercial solutions tailored to your department’s needs.
• Trusted Integrator Program: Recognized third-party professional IT security contracting companies with expertise in secure tailored solutions.

Secure Tailored Solutions Program

In today’s cyber-enabled environment, securing communications against increasingly sophisticated threat actors is paramount.

The Secure Tailored Solutions (STS) Program is designed to help meet modern operational environment needs at the SECRET level by providing medium-security protection products tailored to your department’s needs.

The program is based on the principle that properly configured, dual-layered, commercial off-the-shelf (COTS) products can provide adequate protection of classified data up to and including SECRET.

Benefits of the Secure Tailored Solutions Program

As a client of the STS Program, you can expect:

• advice and guidance from subject matter experts on
  • client requirements
  • solution design options
  • risk assessments

• access to resources including
  • reference architecture documentation
  • client aides
  • client tools

• continuous support
  • during the design and implementation process
  • throughout the lifecycle of the solution

Security monitoring plays an important role in detecting suspicious activity in a secure solution. It is the client’s responsibility to implement these monitoring services to enhance their solution’s security posture.

For guidance on security monitoring requirements, contact the STS Program directly.

Stages of the Secure Tailored Solutions Program

The STS Program has 3 key stages:

Stage 1: Client onboarding

The STS Program works with you to understand your departmental requirements and identify options to meet your desired outcome.

Stage 2: Solution tailoring and implementation

Your STS Program representative discusses the options with you in depth to ensure the end-product is secure, compliant, and tailored to your needs.

Stage 3: Risk and deviation analysis report

The risk and deviation analysis report process, known as RaDAR, is a cycle of continuous engagement between the STS Program and you, the client. It starts as early as possible and continues through the entire lifecycle of the secure solution, including post-implementation.

During the RaDAR process, your STS Program representative will:

• review any client-identified deviations
• assess risks
• outline concerns
• identify mitigations

Commonly used capability packages and annexes

The STS Program is based on the Commercial Solutions for Classified (CSfC) Program developed by the National Security Agency in the United States. STS Solutions are based on reference architectures known as capability packages and annexes.

The STS Program also provides clients with Canadian workbooks containing guidance on implementing the capability packages and annexes in a Canadian context. The program can also provide access to classified risk analysis documents for the capability packages and annexes as appropriate.

The following is a list of the most commonly used capability packages and annexes from the CSfC Program. Your STS Program representative can help you identify the most appropriate resources for your needs.

 

• Mobile Access Capability Package

  The Mobile Access Capability Package (MA CP) protects classified mobile data (including voice and video) transiting wired networks, domestic cellular networks, and wireless networks.

• Campus Wireless Local Area Network Capability Package

  The Campus Wireless local Area Network Capability Package (WLAN CP) allows commercial end user devices to access secure enterprise services when transiting information over a Government of Canada wireless private network.

• Multi-Site Connectivity Capability Package

  The Multi-Site Connectivity Capability Package (MSC CP) protects classified data using multiple encrypted tunnels combined with layers of COTS products sufficient for protecting classified data while in transit across an untrusted network, or a network of a different security level.

• Data at Rest Capability Package

  The Data at Rest Capability Package (DAR CP) protects information stored on an end user device or data-at-rest encrypted system while powered off or not in use.

• Enterprise Gray Implementation Requirements Annex

  This annex helps clients sustainably expand networks across large geographic distances by using their existing infrastructure and services.

• Key Management Requirements Annex

  This annex details how classified data in transit capability package solutions use asymmetric algorithms to establish dual-layer (outer and inner) encryption EncryptionConverting information from one form to another to hide its content and prevent unauthorized access. tunnels.

• Symmetric Key Management Requirements Annex

  This annex serves as a design addendum to existing capability packages and defines the use of symmetric pre-shared keys to provide quantum resistant cryptographic protection of classified information Classified informationA Government of Canada label for specific types of sensitive data that, if compromised, could cause harm to the national interest (e.g. national defence, relationships with other countries, economic interests). .

• Continuous Monitoring Annex

  This annex provides guidance for the collection and analysis of network and security data. It should be integrated into the solution architecture as part of a holistic, risk management, and defence-in-depth Defence-in-depthAn IT security concept (also known as the castle approach) in which multiple layers of security are used to protect the integrity of information. These layers can include anti-virus and anti-spyware software, firewalls, hierarchical passwords, intrusion detection, and biometric identification. information security strategy.

• Wireless Intrusion Detection System (WIDS)/Wireless Intrusion Prevention System (WIPS) Requirements Annex

  This annex provides guidance on monitoring and protecting wireless local area network (WLAN) access systems and securing classified spaces through the use of Wireless Intrusion Detection Intrusion detectionA security service that monitors and analyzes network or system events to warn of unauthorized access attempts. The findings are provided in real-time (or near real-time). Systems and Wireless Intrusion Prevention Systems (WIDS/WIPS).

Trusted Integrator Program

The Trusted Integrator Program recognizes professional third-party IT security contracting companies (Trusted Integrators) who have demonstrated sufficient experience in the development, implementation, and testing (integration) of secure tailored solutions.

Benefits of the Trusted Integrator Program

The Trusted Integrator Program is based on the National Security Agency’s Commercial Solutions for Classified (CSfC) Program. It also leverages the knowledge and expertise of the Cyber Centre’s Secure Tailored Solutions (STS) Program to help clients:

• fill resource gaps for secure communications needs
• improve cyber security practices
• reduce cybercrime
• strengthen the security posture of Canadian institutions
• strengthen relationships between the Cyber Centre and its clients

Through consultation with the client, Trusted Integrators may provide additional services such as:

• maintaining the solution
• troubleshooting
• monitoring the solution to detect and respond to cyber incidents

Leveraging the Trusted Integrator Program

Government of Canada departments wishing to leverage the Trusted Integrator Program should:

• use established contracting methods for obtaining a contractor with a Statement of Work
• include the requirement that the Trusted Integrator must be recognized by the Cyber Centre
• contact the Trusted Integrator Program for the current list of recognized Trusted Integrators

Becoming a Trusted Integrator

IT security contracting companies wishing to become Trusted Integrators should email the Trusted Integrator Program at secure-solutions-securisees@cyber.gc.ca. We will provide you with reference materials on the STS Program and the Trusted Integrator Program application form.

Next steps:

1. The company submits the completed application form along with the resumes of the staff that will be conducting Trusted Integrator activities
2. If the application is accepted, the Trusted Integrator Program representative starts the assessment process
3. If the assessment is successful, the company and the Cyber Centre sign a Memorandum of Agreement and possibly a Non-Disclosure Agreement
4. The company is added to the Cyber Centre’s list of recognized Trusted Integrators