NSA Approved Products List for NSS Cybersecurity

The NSA Approved Products List (APL) is the authoritative catalog of commercial security products evaluated and validated for use within National Security Systems (NSS) across the United States federal government. This page covers the structure of the APL, how products enter and maintain approval status, the scenarios in which federal agencies and contractors encounter APL requirements, and the boundaries that distinguish APL-governed procurement from adjacent federal security frameworks. For professionals navigating NSS cybersecurity procurement, the APL represents one of the most consequential product-selection constraints in the federal acquisition landscape.

Definition and scope

The NSA APL is maintained by the National Security Agency's Cybersecurity Directorate and lists commercial off-the-shelf (COTS) products that have been tested and approved for protecting classified and sensitive national security information. The list is scoped exclusively to systems that fall under the definition of National Security Systems as established in 44 U.S.C. § 3552(b)(6), which includes systems that process intelligence, involve cryptographic activities related to national security, or directly support military or intelligence operations.

Products on the APL span 8 primary technology categories: encryption devices, key management systems, cross-domain solutions (CDS), voice and data communications security equipment, network intrusion detection systems, public key infrastructure (PKI) components, wireless security systems, and media sanitization tools. Each category carries its own evaluation criteria and classification level suitability designations — typically expressed as approved for use at specific classification tiers (Unclassified, Secret, Top Secret, or Top Secret/SCI).

The APL is distinct from the NIAP Product Compliant List (PCL), which is managed by the National Information Assurance Partnership and evaluates products against Common Criteria Protection Profiles for broader federal and international use. APL inclusion reflects NSA-specific operational testing against NSS threat environments, while PCL inclusion reflects international Common Criteria evaluation. For security systems procurement contexts, understanding which list applies to a given system determines which products are legally permissible in a solicitation.

How it works

APL listing follows a structured evaluation process administered through NSA's Cybersecurity Solutions and Operations directorates. The process operates in discrete phases:

  1. Vendor submission — A commercial vendor submits a product for evaluation under the relevant NSA program office, such as the Commercial Solutions for Classified (CSfC) program or the High Assurance Platform (HAP) program, depending on product type and intended use case.
  2. Technical evaluation — NSA security engineers conduct independent testing against classified technical standards, including those derived from CNSS Policy No. 11, which governs national security telecommunications and information systems security requirements.
  3. Conditional or full approval — Products may receive conditional approval (time-limited or use-case-limited) or full approval. Conditional listings often appear when a product meets baseline requirements but lacks full operational validation at all classification levels.
  4. Listing publication — Approved products are published on the NSA APL, accessible through the NSA's public-facing product catalog portal, with designation of classification suitability, applicable use cases, and any known restrictions.
  5. Maintenance and re-evaluation — Approved products are subject to re-evaluation when significant firmware, software, or hardware changes occur. Vendors must notify NSA of material changes; failure to do so can result in delisting.

The Committee on National Security Systems (CNSS), operating under the authority of National Security Presidential Memoranda, sets overarching policy that governs which product categories require APL-level vetting versus NIST-validated alternatives for NSS environments.

Common scenarios

Federal agencies and cleared defense contractors encounter APL requirements across three recurring procurement contexts.

Classified network buildout: When a Department of Defense component or intelligence community agency deploys a new classified enclave, encryptors, key management infrastructure, and cross-domain solutions must be sourced from current APL-listed products. The Defense Information Systems Agency (DISA) coordinates this requirement through its Unified Capabilities Approved Products List (UC APL), which incorporates NSA APL listings for products operating in NSS environments.

CSfC capability package deployment: The NSA Commercial Solutions for Classified program uses layered commercial products to protect classified data. Each CSfC capability package — covering use cases such as campus wireless local area networks, data-at-rest, and mobile access — requires components drawn from the CSfC Components List, which is a subset of the broader APL framework. As of the most recent published capability package documentation available through the NSA CSfC portal, there are 9 defined capability package types.

Contractor-operated systems: Defense contractors operating government-furnished NSS environments under contracts governed by the Defense Federal Acquisition Regulation Supplement (DFARS) must comply with APL requirements when the contract scope involves classified information processing. DFARS clause 252.239-7001 addresses safeguarding requirements for NSS-related contracts. For a broader view of how these requirements interact with professional service categories, the security systems listings section provides relevant organizational context.

Decision boundaries

The APL applies when a system meets the NSS definition under 44 U.S.C. § 3552(b)(6) and the product category is one for which NSA has issued an evaluation program. It does not govern all federal IT procurement — systems outside the NSS definition fall under NIST SP 800-53 (NIST SP 800-53 Rev. 5) and the FIPS 140-3 cryptographic validation program administered by NIST's Cryptographic Module Validation Program (CMVP), not APL.

The key distinction: FIPS 140-3 validation governs cryptographic module correctness for federal systems broadly; APL listing governs operational suitability for NSS-specific threat environments at classification levels. A product can be FIPS 140-3 validated without being APL-listed; the reverse is extremely rare.

Agencies and contractors determining whether APL compliance is required should reference the system categorization documented in the system's authorization boundary — specifically whether the Authorizing Official has designated the system as an NSS. For research and navigational support across the NSS cybersecurity service sector, the how to use this security systems resource page describes the organizational structure of this reference.

References

📜 2 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Security Systems Directory: Purpose and Scope This reference establishes the scope of what is included, how entries are evaluated, and the geographic boundaries applied to... Security Systems Listings Entries span both physical security systems — including access control, intrusion detection, and surveillance infrastructure —... How to Use This Security Systems Resource This page describes how the resource is organized, who it is designed to serve, and how to locate specific listings,...