Sign in to my dashboard Create an account

NetApp ONTAP: Store top-secret Data with CSfC validation

a woman
Table Of Contents

Share this page

Matt Trudewind Author Photo
Matt Trudewind

At NetApp, providing our customers with industry-leading data-centric security capabilities to enhance their organizations’ cyber resiliency is a top priority. Nearly 30 years of innovation across our portfolio has included many new security capabilities that protect critical data and let you focus on using the data rather than worrying about how secure it is.

But given today’s vast cyberthreat landscape, claiming that NetApp has “industry-leading data-centric security capabilities” isn’t enough. Just as in high school math class, it’s important to “show your work.” That’s why we’re excited to announce that NetApp® ONTAP® data management software is the industry’s first Commercial Solutions for Classified (CSfC) validated enterprise-class storage solution. This solution enables you to protect data at rest at both the hardware layer (with NSE) and the software layer (with NVE) for enhanced rugged security.

What is CSfC?

To understand the significance of the NetApp CSfC announcement, it’s important to understand what CSfC is. The Commercial Solutions for Classified program is a key component of the U.S. National Security Agency (NSA) commercial cybersecurity strategy. CSfC-validated products require two independent layers of encryption and must meet rigorous security requirements for protection of classified National Security Systems data.

The NSA has directed federal agencies, particularly in the area of defense, that host secret or top-secret data to have CSfC validated storage solutions in place. This announcement is particularly important for federal and U.S. government agencies such as the Department of Defense (DoD). With this validation, they can layer state-of-the-art commercial hardware and software technologies into their data protection and cybersecurity solutions with NetApp ONTAP.

Yes, that’s correct. NetApp ONTAP is validated to host secret and top-secret data.

CSfC validation requires layered encryption

Data-at-rest encryption provides protection from physical theft of data storage devices by using encryption. However, a key aspect of a CSfC solution is the need to provide two independent layers of validated data-at-rest encryption. NetApp ONTAP dual-layer FIPS 140-2 validated encryption capability is a perfect fit because it provides both software encryption at rest (NVE/NAE) and hardware encryption (NSE) at rest.

ONTAP encryption at rest features

Software-based encryption

NetApp Volume Encryption (NVE) is a storage-efficient software data-at-rest encryption solution that enables ONTAP to encrypt data for each volume, which promotes granularity. NVE is a FIPS 140-2 compliant solution. ONTAP software is Protection Profile compliant for both the Full Drive Encryption—Authorization Acquisition 2.0E collaborative Protection Profile and the Full Drive Encryption—Encryption Engine 2.0E collaborative Protection Profile when NVE is enabled and the onboard key manager is configured in Common Criteria mode.

NetApp Aggregate Encryption (NAE) is also available with ONTAP. Although it is not CSfC validated, with NAE, after data is encrypted, all ONTAP storage efficiencies are leveraged because the volumes can share encryption keys across the aggregate.

Both NVE and NAE use a FIPS 140-2 validated cryptomodule to perform encryption and decryption.

Hardware-based encryption

NetApp Storage Encryption (NSE) is configured to use FIPS 140-2 Level 2 self-encrypting drives. By enabling data-at-rest protection through AES 256-bit transparent disk encryption, NSE facilitates compliance and failed or spare drive return. NetApp ONTAP data management software is Protection Profile compliant for the Full Drive Encryption— Authorization Acquisition 2.0E collaborative Protection Profile when used with NSE drives.

All the ONTAP data-at-rest encryption technologies have a negligible performance impact, so there’s no downside to taking advantage of these dual-layer encryption capabilities.

CSfC validation is important for all organizations

The importance of the CSfC validation announcement is not limited to federal agencies; it applies to any customer with concerns about the security of their data. Because it has achieved CSfC validation, ONTAP is capable of storing secret and top-secret data for even the most security-conscious organizations. This solution is more than adequate for even those customers who are most ardently focused on securing their data. 

Benefits for any organization to employ a NetApp ONTAP CSfC solution include the following.

Enhance data confidentiality and integrity with dual-layer encryption. Use both software and hardware to achieve a more robust data encryption solution.

Maintain a secure posture regardless of physical media. Encrypt at the volume level so that the encryption capability can exist independently of the physical media—SSD, SAS, HDD, or NVMe.

Maintain storage efficiencies. Encrypt your data while maintaining NetApp storage efficiencies such as deduplication, compression, and compaction. Maintain all storage efficiencies unless NAE is not allowed in the solution.

Satisfy governance and compliance requirements. Use established security best practices to adhere to and to support compliance with industry regulations and security levels.

Focus on your organizational goals without worrying about security

With the announcement of CSfC validation for NetApp ONTAP, you can be assured that putting even your most sensitive data on a NetApp AFF or FAS array is a wise decision. This is true not only because you can meet your data-centric security goals; ONTAP also provides all the rich enterprise data management features for accessing your data securely wherever and whenever you need it. This ability allows you to focus on your day job without worrying about the security of your organization’s most precious asset, your data.


For more information about the NetApp ONTAP CSfC validated solution, check out the Commercial Solutions for Classified solution brief.

Matt Trudewind

Now on his 2nd tour at NetApp across 10 years, Matt is a Security Evangelist with a primary focus on ransomware prevention and recovery, cyber resiliency, and data-centric portfolio security. This includes but is not limited to Zero Trust, Data Governance and Privacy Frameworks, Security Tools, and Security Best Practices. Prior to this Matt held the dual role of Product Manager and Technical Marketing Engineer for ONTAP Security driving the latest security features and capabilities into NetApp’s flagship product. He has also held the position of Staff Engineer at NetApp during which he focused on ONTAP product Supportability specifically in the areas of networking and SMB/CIFS. In between NetApp stints Matt worked with a NetApp partner (Eze Castle Integration) for 7 years as pre sales/post sales storage architect focusing on early 7-mode to cDOT migration. He has also focused on Microsoft Windows Active Directory, Exchange, SQL and VMware during his 23 years of IT experience with 17 of those years coming in the storage industry. Prior to NetApp and ECI, Matt worked a contract at Microsoft as a Technical Support Engineer.

View all Posts by Matt Trudewind

Next Steps

Drift chat loading