NSA product types

The U.S. National Security Agency (NSA) used to rank cryptographic products or algorithms by a certification called product types. Product types were defined in the National Information Assurance Glossary (CNSSI No. 4009, 2010) which used to define Type 1, 2, 3, and 4 products. The definitions of numeric type products have been removed from the government lexicon and are no longer used in government procurement efforts.

Type 1 product
A Type 1 product was a device or system certified by NSA for use in cryptographically securing classified U.S. Government information. A Type 1 product was defined as:

"Cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA approved algorithms. Used to protect systems requiring the most stringent protection mechanisms."

They were available to U.S. Government users, their contractors, and federally sponsored non-U.S. Government activities subject to export restrictions in accordance with International Traffic in Arms Regulations.

Type 1 certification was a rigorous process that included testing and formal analysis of (among other things) cryptographic security, functional security, tamper resistance, emissions security (EMSEC/TEMPEST), and security of the product manufacturing and distribution process.

Type 2 product
A Type 2 product was unclassified cryptographic equipment, assemblies, or components, endorsed by the NSA, for use in telecommunications and automated information systems for the protection of national security information, as defined as:

"Cryptographic equipment, assembly, or component certified by NSA for encrypting or decrypting sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA approved algorithms. Used to protect systems requiring protection mechanisms exceeding best commercial practices including systems used for the protection of unclassified national security information."

Type 3 product
A Type 3 product was a device for use with Sensitive, But Unclassified (SBU) information on non-national security systems, defined as:

"Unclassified cryptographic equipment, assembly, or component used, when appropriately keyed, for encrypting or decrypting unclassified sensitive U.S. Government or commercial information, and to protect systems requiring protection mechanisms consistent with standard commercial practices. Developed using established commercial standards and containing NIST approved cryptographic algorithms/modules or successfully evaluated by the National Information Assurance Partnership (NIAP)."

Approved encryption algorithms included three-key Triple DES, and AES (although AES can also be used in NSA-certified Type 1 products). Approvals for DES, two-key Triple DES and Skipjack have been withdrawn as of 2015.

Type 4 product
A Type 4 product was an encryption algorithm that was registered with NIST but is not a Federal Information Processing Standard (FIPS), defined as:

"Unevaluated commercial cryptographic equipment, assemblies, or components that neither NSA nor NIST certify for any Government usage. These products are typically delivered as part of commercial offerings and are commensurate with the vendor’s commercial practices. These products may contain either vendor proprietary algorithms, algorithms registered by NIST, or algorithms registered by NIST and published in a FIPS."