Alternate format: Guidance for the communications security of SECRET Information (ITSB-79) (PDF, 1 MB)
Purpose
The purpose of this bulletin is to inform the Government of Canada (GC) of the Communications Security Establishment Canada's (CSEC) guidance regarding the use of commercial technologies to safeguard the communications of classified information at the level of SECRET within a departmental local enclave.
CSEC has determined that specific Commercial-Off-The-Self (COTS) Virtual Private Network (VPN ) devices can provide adequate protection for the communications security of SECRET information being transmitted within the confines of a departmental local enclave.
This technical safeguard should facilitate the implementation of a departmental SECRET network that is based on users operating a thin-client desktop configuration within a departmental unclassified operations zone and connecting to a back-end security zone where the processing and storing of the SECRET information occurs.
Background
CSEC, as the GC lead security agency for developing and promulgating COMSEC related policy for classified information, has recently concluded an analysis regarding the usage of commercial cryptosystems when safeguarding classified information at the SECRET level. Specifically, the use of COTS products were examined in regards to safeguarding the communication of SECRET information within a departmental local enclave.
A departmental local enclave is defined as a site with a single physical perimeter that maintains a common set of security policies (physical, personnel and Information Technology (IT)) under a single authority. External to the enclave represents where communications occur that extend past the perimeter, for example the Secure Channel Network (SC Net).
Secure platform for application delivery
CSEC is partnering with Public Works and Government Services Canada (PWGSC) to deliver cost effective solutions for departmental SECRET networks. PWGSC offers a solution that can be tailored to departmental needs. This offering by PWGSC is titled Secure Platform for Application Delivery (SPAD).
Recommendations
The analysis concluded:
- Communications security external to a local departmental enclave - that departments continue to use the current CSEC approved technical solution, which is a Type 1 cryptographic device.
- Communications security within a local departmental enclave – with the maturity and capability of available commercial technologies, specific commercially available VPN solutions can be used to adequately secure the communications of SECRET information.
Description of alternative technical solution for departmental enclaves
Departments who plan to deploy a SECRET network are advised to begin their Threat and Risk Assessments (TRA ) early in the Requirements stage. The appropriate steps to conduct for the TRA are described in the Harmonized TRA Methodology, available on the CSEC website. Subject to the findings of the TRA, CSEC specified COTS VPN devices may be used.
Departments are advised to use CSEC recommended COTS VPN solutions available from CSEC upon request. COTS VPN solutions are also available through PWGSC's SPAD offering for departmental Secret networks. Any COTS VPN solutions will need to be configured, operated, and maintained according to CSEC guidance.
Contacts and assistance
IT Security Client Services
Communications Security Establishment Canada
PO Box 9703, Terminal
Ottawa, ON K1G 3Z4
By email: itsclientservices@cse-cst.gc.ca
Telephone: 613-991-7654
Originally signed by
Toni Moffa
Deputy Chief, IT Security
Date: 2011-07-07