CNSSP 8 Clean Copy September 20211
CNSSP 8 Clean Copy September 20211
CNSSP 8 Clean Copy September 20211
CNSSP 8
September 23, 2021
FOREWORD
/s/
TERESA M. TAKAI
CNSS Secretariat (C074) National Security Agency. 9800 Savage Road, STE 6165. Ft Meade, MD 20755-6716
Office Phone Number: (410) 854-6805;
[email protected]
UNCLASSIFIED//FOR OFFICIAL USE ONLY
SECTION I – PURPOSE
1. (U) This policy implements the CNSS’ responsibility to approve the release of
US Government (USG) cryptologic national security systems technical security material,
Cross Domain Solutions (CDS), information, and techniques and assists the National
Manager for U.S. national security systems1 in implementing his responsibility under
paragraph 7.e. of NSD 42 to conduct foreign computer security and communications
security liaison, including entering into agreements with foreign governments and with
international organizations, except for those foreign intelligence relationships conducted
for intelligence purposes by the Director of Central Intelligence. Any such agreements
shall be coordinated with affected departments and agencies. Such agreements govern
the release of USG cryptologic national security systems technical security material,
information, Cross Domain Solutions, and techniques, classified and unclassified, the
export of which is controlled by the International Traffic in Arms Regulations (ITAR), 22
C.F.R. Parts 120-130 2 (Ref.b.). Cybersecurity information that, pursuant to an official
1)1 U.S. “national security systems” means any information system (including any telecommunications system) used or
operated by an agency or by a contractor of an agency, or other organization on behalf of an agency - (1) the function,
operation, or use of which –
(I) involves intelligence activities;
(II) involves cryptographic activities related to national security;
(III) involves command and control of military forces;
(IV) involves equipment that is an integral part of a weapon or weapons system; or
(V) is critical to the direct fulfillment of military or intelligence missions (except for systems used for routine
administrative and business applications; or
2) is protected at all times by procedures established for information that has been specifically authorized under criteria
established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or
foreign policy. 44 U.S.C. § 3542(b)(2). Cryptologic includes but is not limited to encryption devices, cross domain
solutions (CDS), and multi-level security (MLS) systems. For CDS/MLS systems, this policy only covers CDS/MLS
devices that fall under ITAR 121 Category Xiii(b)(4). If the CDS/MLS device is not used to protect USG NSS then
CNSSP 8 does not apply. The CDS being sold must comply with NSA security requirement (e.g. Raise The Bar
(RTB)).
2 Much of the cryptologic national security systems technical security material, information, and techniques governed
by this policy are described in Category XIII of the United States Munitions List, see 22 C.F.R. § 121.1, Category XIII
– Auxiliary Military Equipment, which includes “Military Information Security Assurance Systems and equipment,
cryptographic devices, software, and components specifically designed, developed, modified, adapted, or configured
for military applications” as well as technical data and defense services related to such items. For specific examples,
see the United States Munitions List, available at http://www.pmddtc.state.gov/docs/ITAR/2006/ITAR_Part_121.pdf.
CNSSP 8
SECTION II – AUTHORITY
3. (U) The authority to issue this policy derives from National Security
Directive 42, which outlines the roles and responsibilities for securing national security
systems, consistent with applicable law, E.O. 12333, as amended and other Presidential
directives.
4. (U) Nothing in this Policy shall alter or supersede the authorities of the Director
of National Intelligence or the Director, Central Intelligence Agency.
5. (U) This policy focuses on the approval to release USG cryptologic national
security systems technical security material, Cross Domain Solutions, information and
techniques to foreign governments or international organizations. This policy only
applies to CDS/MLS devices that are used for Foreign Release only. There are two
separate and distinct categories of CDSs and associated processes/oversight management.
6. (U) This policy is applicable to the USG departments and agencies who provide
USG cryptologic national security systems technical security material, information, Cross
Domain Solutions, and techniques to foreign governments or international organizations.
2
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
CNSSP 8
SECTION IV – POLICY
7. (U) USG cryptologic national security systems technical security material, Cross
Domain Solutions, information, and techniques used to secure U.S. national security
systems are valuable national assets and shall be protected. Such material, information
and techniques will be released to foreign governments or international organizations
only when:
a. (U) There is a clearly defined benefit that is consistent with USG foreign
policy, military, intelligence, or economic objectives; and
b. (U) The release has been specifically authorized by the CNSS consistent with
U.S. law, regulations, Executive Orders, and applicable Presidential Directives in
accordance with the criteria, limitations, and procedures as specified in CNSS issuances.
8. (U) The CNSS or, when appropriate, the National Manager, shall consider
requests submitted by USG departments or agencies to release USG cryptologic national
security systems technical security material, Cross Domain Solutions, information, and
techniques to a foreign government or an international organization if the proposed
releases are clearly consistent with USG foreign policy and military, intelligence, or
economic objectives, and if the release will satisfy requirements to:
3
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
CNSSP 8
e. (U) CDSs being sold/used for Foreign Release must comply with NSA CDS
security requirements (i.e. Raise the Bar (RTB)).
SECTION V – RESPONSIBILITIES
10. (U) The CNSS shall review and approve initial requests for release to:
a. (U) All foreign governments except for Australia, Canada, New Zealand
and the United Kingdom; and
c. (U) The CDS being sold must comply with NSA security requirement
(e.g.RTB)
11. (U) CNSS Committee Members shall make a determination that the
proposed release satisfies the criteria of this policy.
12. (U) The CNSS Secretariat shall notify Committee Members and the National
Manager of the result of a vote on a proposed release request.
13. (U) The National Manager shall review and approve, as appropriate, all:
a. (U) Document all releases and transfers consistent with the requirements of
this policy; and
4
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
CNSSP 8
b. (U) Provide to the CNSS, on an annual basis, a report of such releases and
transfers.
15. (U) In the event of exigent circumstances, where U.S. lives are at risk and time
and circumstances do not allow for review by and approval of the full CNSS membership
and SIGCOM in accordance with paragraph 9 of this policy, the National Manager shall
review such requirements and approve the release of appropriate USG cryptologic
national security systems technical security material, Cross Domain Solutions,
information, and techniques. The National Manager can make a decision to expedite
when circumstances are deemed critical. As soon as practicable, the National Manager
shall provide the CNSS a complete summary of the circumstances as well as a listing of
the types of USG cryptologic national security systems technical security material, Cross
Domain Solutions, information, and techniques released.
SECTION VI – DEFINITIONS
16. (U) Terms defined in CNSS Instruction 4009: Committee on National Security
Systems (CNSS), Glossary, August 2021 (Ref. c) apply to this policy. For purposes of
this policy, the following additional definitions apply:
5
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
CNSSP 8
a. (U) National Security Directive 42, National Policy for the Security of
National Security Telecommunications and Information Systems, July 5, 1990
6
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
CNSSP 8
Enclosures:
ANNEX A – Procedures for Submitting and Processing Requests for the Release and
Transfer of U.S. Government (USG) Cryptologic National Security Systems Technical
Security Material, Cross Domain Solutions (CDS), Information, and Techniques to
Foreign Governments and International Organizations
7
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
ANNEX A
1. (U) Requests for the Release of U.S. Government (USG) cryptologic national
security systems technical security material, Cross Domain Solutions, information, and
techniques to foreign governments and international organizations from CNSS Member
Organizations covered by Chairman of the Joint Chiefs of Staff Instruction CJCSI
6510.06B, dated 31 March 2011 (Communication Security Release to Foreign Nations)
(Ref. d) shall follow that instruction.
c. (U) In those cases (initial and subsequent requests for release to the
governments of Australia, Canada, New Zealand, and the United Kingdom and transfers
to foreign governments based on previously approved releases) where a decision to
release falls within the purview of the responsibilities listed by CNSSP 8, the National
Manager may recommend and/or approve the release of USG cryptologic
national security systems technical security material, information, Cross Domain
Solutions, and techniques that will satisfy the stated requirement.
d. (U) For other cases, the National Manager will provide feedback to the
A-1 ANNEX A to
UNCLASSIFIED//FOR OFFICIAL USE ONLY CNSSP 8
UNCLASSIFIED//FOR OFFICIAL USE ONLY
CNSSP 8
f. (U//FOUO) In the event the SIGINT Committee determines that the proposed
release will impact adversely on national intelligence programs or objectives putting the
U.S. at risk, the CNSS Secretariat will so advise the CNSS members. The CNSS Chair
will then coordinate with the SIGINT Committee to work through the situation until the
national intelligence issue is resolved.
4. (U) In the event that either the CNSS or the SIGINT Committee cannot reach a
consensus within their own organization or group, the CNSS Secretariat will forward the
CNSS Chairman, supporting documentation for the Chairman’s decision or coordination
at the appropriate leadership level.
A-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
CNSSP 8
h. (U) The National Manager will inform the requesting department or agency
of the CNSS outcome.
5. (U) Requests for the release of USG cryptologic national security systems
technical security material, information, Cross Domain Solutions, and techniques to
Foreign Governments and International Organizations from non-CNSS Member
Organizations shall be sent to the National Manager. The National Manager will follow
the steps outlined in Paragraph 2 above.
6. (U) The National Manager shall maintain a record of all USG cryptologic
national security systems technical security material, information, Cross Domain
Solutions, and techniques released to foreign governments or international organizations
and provide the CNSS with an annual report which summarizes all release activities
during the previous 12-month period unless there has been a government wide shutdown
which would interrupt release activities.
A-3
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
CNSSP 8
modules, joint exercises, and field training containing USG cryptologic national security
systems technical security material, information, Cross Domain Solutions, and techniques
demonstrations or discussion, must be limited to those foreign students and service
members from foreign nations that have been approved for release of the specific
equipment discussed or addressed in each module. However, many of the foreign
students scheduled to train at U.S. Military Service Training Courses for Officer and
Enlisted Personnel, and foreign participants in joint training exercises, may not be
eligible to receive training on the array of U.S. Type 1 encryption or Controlled
Cryptographic Item devices covered in those course modules or joint training programs.
A-4 ANNEX A to
UNCLASSIFIED//FOR OFFICIAL USE ONLY CNSSP 8